Crashing PANDA for 64-bit Windows guests when using -icount

[meatballmaestro]

When running PANDA using the -icount option, with any shift value whatsoever, I get the emulator eventually terminating with the message "Raised interrupt while not in I/O function" while working with 64-bit Windows images (Windows 7 and 10). This behavior does not arise with the version of QEMU that I have on hand (version 4.2.1).

I tracked this down to the following in translate-common.c, beginning at line 48 [1].

        if (!cpu->can_do_io
            && (mask & ~old_mask) != 0) {
            cpu_abort(cpu, "Raised interrupt while not in I/O function");
        }

Rather than go to the trouble of modifying PANDA's source and rebuilding on an isolated machine, I just found the code in libpanda-x86_64.so corresponding to the offending lines and nopped it out. The patched result runs reliably so far.

[1] https://github.com/panda-re/panda/blob/50cf60272b7d3f1044f7330867cca19c2bfcd3ce/translate-common.c#L48

[lacraig2]

Can you elaborate on the reasoning for using -icount?

I don't quite see how these are related, but I think it's possible we could give you an alternative that doesn't conflict with something built for PANDA.

[meatballmaestro]

Because marking the time is a venerable basis for anti-debugging. Without the -icount usage,

rdtsc
mov ebx, eax
rdtsc
sub eax, ebx

produces a noticeably higher value in eax, such as 166, versus the 2 I get when I use

-icount shift=0,align=off,sleep=off -rtc clock=vm

That difference is more than sufficient for the simplest time-based anti-debugging checks to trigger.