Academic VBS-enclave shellcode loader (Yuste / Soriano-Salvador, Recon 2023)

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

5 syscalls cited

NtCreateEnclave
Allocates a new enclave (SGX or VBS/VTL1) inside a target process's address space.
NtInitializeEnclave
Finalises an enclave after image load — verifies signatures and transitions it to executable state.
NtCallEnclave
Transitions execution from VTL0 host code into a routine inside an initialised enclave.
NtTerminateEnclave
Tears down an enclave, releasing its VTL1 memory and signalling any threads still inside.
NtLoadEnclaveData
Copies a page-aligned buffer (code or data) from VTL0 host memory into an enclave's VTL1 range before initialisation.