Contents Understanding VTLs and VBS enclaves Investigating attack strategies Abusing debuggable enclave modules But, wait — there’s more! Bring your own vulnerable enclave (BYOVE) Mirage: VTL1-based memory evasion Anti-debugging Safeguarding your environment Attackers are always seeking new ways to deliver and execute malware on a host without being detected. We researched some novel techniques for running malware inside a virtualization-based security (VBS) enclave and evaded common security safeguards. On August 8, 2025, I explored this attack surface in a presentation at DEF CON 33 in Las Vegas. Part of Microsoft’s security implementation, VBS creates a virtual environment designed to isolate critical OS components. VBS enclaves enable the isolation of a region of a process, making it inaccessible to other processes, the process itself, and even the kernel.  While VBS enclaves can improve security, they can also present enticing possibilities for attackers.…