Solved: Enclave remote attestation from dll

nadiaivc · ‎06-01-2021

Hello!
So now I know how to load enclave dll from injected untrusted dll module (running an enclave dll from dll). It works. But now I want to do remote attestation with this structure. For remote attestation I use this sample: https://github.com/intel/sgx-ra-sample . I'm running sp.exe (server) and I create dll from client part and inject it to the target.exe. (sp.exe + client.exe works good). And it stops working on sgx_get_extended_epid_group_id() - no error, no messages - just waiting for the return value. I can't find anything in documentation about it. And of course I can't debug sgx functions to understand why it might not work with dll...

Is it possible in theory to do what I want?

nadiaivc · ‎06-05-2021

Yes! I tried to use ManualMap from Guided Hacking injector and it works good! But anyway I don't know why it doesn't work with LoadLibrary. If I find the answer, I will write about it.

View solution in original post

JesusG_Intel · ‎06-02-2021

Hello nadia111,

In theory, it is possible to do what you want. While I cannot tell you exactly how to create your DLL solution from the sgx-ra-sample, I can guide you on what to look for.

Ensure that...

Install the latest PSW components.
You can successfully run the sgx-ra-sample as-is.
Pass the correct arguments from the run-client script.

Sincerely,

Jesus G.

Intel Customer Support

nadiaivc · ‎06-02-2021

Hello!

Yes, it works successfully for sp.exe and client.exe (I wrote all the arguments as constant values in the code (spid, pri api key, ...) - I know it isn't a good idea, but first of all I want my structure to work). How it works:

After that, I changed the client project settings to .dll and injected this dll into hello.exe.

I also tried to avoid sgx_get_extended_epid_group_id (): sgx_get_extended_epid_group_id () always returns 0 for msg0_extended_epid_group_id, so I set this variable to a constant value = 0, but in this situation my program stops working on the next sgx function sgx_ra_get_msg1()

JesusG_Intel · ‎06-03-2021

Hi Nadia, I'm not familiar with LoadLibrary. Is there any way to do this without LoadLibrary?

Sincerely,

Jesus G.

Intel Customer Support

nadiaivc · ‎06-03-2021

Yes, I will try to use some injectors with different ways to inject dll
But LoadLibrary is the only one documented and "legal" method from all of them

nadiaivc · ‎06-05-2021

Yes! I tried to use ManualMap from Guided Hacking injector and it works good! But anyway I don't know why it doesn't work with LoadLibrary. If I find the answer, I will write about it.

nadiaivc · ‎06-12-2021

I have uploaded the complete code to the github (https://github.com/nadiaivc/LoadSGXenclaveInProcess). I hope this can help someone!!

JesusG_Intel · ‎06-07-2021

Hi Nadia,

I'm not an expert in DLL linking, and it is beyond the scope of SGX support, but it seems that you are trying to use run-time dynamic linking vs load-time dynamic linking. I am more familiar with load-time: https://docs.microsoft.com/en-us/windows/win.32/dlls/load-time-dynamic-linking.

With load-time linking, you don't need to do DLL injection.

Sincerely,

Jesus G.

Intel Customer Support

nadiaivc · ‎06-10-2021

Yes, I use run-time dynamic linking. I want to inject my enclave in different processes (and I don't want to manipulate someone else's .exe code). So I think injection is a good decision for me in this situation, but I'm not sure because I don't have much experience...

JesusG_Intel · ‎06-10-2021

Hello Nadia,

Run time loading of enclave DLLs is possible as we have many customers doing this. Since this is not an SGX limitation, I'm not sure how else to help you. You may be better served by seeking advice on Windows DLL loading from other forums such as StackOverflow.

Sincerely,

Jesus G.

Intel Customer Support

nadiaivc · ‎06-10-2021

Yes, I'm not sure why the solution with LoadLibrary doesn't work. And yes, I know it is out of the scope of discussion on this forum, so if I don’t figure it out, I’ll ask the question on other forums.
But anyway I found the solution how to run my DLL in the way I want. I guess I had to close this topic in the time I found the solution... Sorry!

Thank you for your time! I appreciate it!

JesusG_Intel · ‎06-10-2021

I'm glad you found a solution that works for you, Nadia.

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.