From ea1821480f9f1426722b2a560cff0f49dd29010e Mon Sep 17 00:00:00 2001
From: rootacite <1498045907@qq.com>
Date: Fri, 24 Oct 2025 13:44:27 +0800
Subject: [PATCH] [fix] fix race condition.

---
 01/project-hbj-attacker/Cargo.toml  |   2 +-
 01/project-hbj-attacker/src/main.rs |  66 ++++++++++++++++++----------
 01/project-hbj/target               | Bin 15896 -> 15944 bytes
 01/project-hbj/target.cpp           |   6 ++-
 4 files changed, 48 insertions(+), 26 deletions(-)

diff --git a/01/project-hbj-attacker/Cargo.toml b/01/project-hbj-attacker/Cargo.toml
index b39f5be..594bca9 100644
--- a/01/project-hbj-attacker/Cargo.toml
+++ b/01/project-hbj-attacker/Cargo.toml
@@ -7,7 +7,7 @@ edition = "2024"
 dynasmrt = "4.0.1"
 iced-x86 = { version = "1.21.0", features = ["code_asm"] }
 libc = "0.2.177"
-nix = { version = "0.30.1", features = ["ptrace", "uio"] }
+nix = { version = "0.30.1", features = ["ptrace", "uio", "signal"] }
 ctor = "0.6.0"
 libloading = "0.8.9"
 
diff --git a/01/project-hbj-attacker/src/main.rs b/01/project-hbj-attacker/src/main.rs
index c1faa97..564ac69 100644
--- a/01/project-hbj-attacker/src/main.rs
+++ b/01/project-hbj-attacker/src/main.rs
@@ -3,12 +3,13 @@
 mod helper;
 
 use nix::sys::ptrace;
+use nix::sys::signal::{Signal, kill};
 use nix::unistd::Pid;
 use std::arch::asm;
 use std::ffi::CString;
 
 use helper::*;
-use iced_x86::code_asm::{eax, r8, r9, r10, rax, rdi, rdx, rsi, rcx, rsp, rbp};
+use iced_x86::code_asm::{eax, r8, r9, r10, rax, rbp, rcx, rdi, rdx, rsi, rsp};
 use libc::{RTLD_NEXT, c_void, dlsym};
 use libc::{ptrace, user_regs_struct};
 use std::fs;
@@ -103,7 +104,7 @@ fn inject2(pid: Pid, seg_rw: (u64, u64)) -> Result<(), Box<dyn std::error::Error
     Ok(())
 }
 
-fn inject3(pid: Pid, seg_rw: (u64, u64)) -> Result<(), Box<dyn std::error::Error>> // thread inject
+fn inject3(pid: Pid, seg_rw: (u64, u64)) -> Result<i32, Box<dyn std::error::Error>> // thread inject
 {
     let regs = ptrace::getregs(pid)?;
     // Alloc rwx memory
@@ -150,7 +151,11 @@ fn inject3(pid: Pid, seg_rw: (u64, u64)) -> Result<(), Box<dyn std::error::Error
     );
 
     let injected_data = "[%d] I am the injected thread, I am running... \r\n";
-    write_memory_vm(pid, page_addr + 0x200, &CString::new(injected_data).unwrap().as_bytes_with_nul())?;
+    write_memory_vm(
+        pid,
+        page_addr + 0x200,
+        &CString::new(injected_data).unwrap().as_bytes_with_nul(),
+    )?;
     write_memory_vm(pid, page_addr + 0x300, &1i64.to_le_bytes())?;
     write_memory_vm(pid, page_addr + 0x308, &0u64.to_le_bytes())?;
 
@@ -184,8 +189,8 @@ fn inject3(pid: Pid, seg_rw: (u64, u64)) -> Result<(), Box<dyn std::error::Error
     println!("{GREEN}[trace]{RESET} write payload to {:#016x}", page_addr);
 
     // Start Trigger
-    let regs = ptrace::getregs(pid)?;
-    // ptrace::setregs(pid, regs)?;
+    // let regs = ptrace::getregs(pid)?;
+    ptrace::setregs(pid, regs)?;
 
     let injected_trigger = assemble(regs.rip as u64, |asm| {
         asm.mov(rax, 56u64)?; // Syscall 56 (clone)
@@ -221,9 +226,34 @@ fn inject3(pid: Pid, seg_rw: (u64, u64)) -> Result<(), Box<dyn std::error::Error
     wait(pid);
 
     let regs = ptrace::getregs(pid)?;
+    let pid_new_thread = Pid::from_raw(regs.rax as i32);
     println!("{GREEN}[trace]{RESET} int3 at {:#016x}", regs.rip);
+    println!(
+        "{GREEN}[trace]{RESET} new thread is {}, which will be suspend.",
+        pid_new_thread
+    );
 
-    Ok(())
+    ptrace::attach(pid_new_thread)?;
+    wait(pid_new_thread);
+    println!("{GREEN}[trace]{RESET} attached new thread.");
+
+    loop {
+        let regs = ptrace::getregs(pid_new_thread)?;
+        println!(
+            "{GREEN}[trace]{RESET} rip in new thread is {:#016x}.",
+            regs.rip
+        );
+
+        if regs.rip >= page_addr as u64 && regs.rip < (page_addr + 0x1000) as u64 {
+            println!("{GREEN}[trace]{RESET} rip in new thread return to inject payload.");
+            break;
+        }
+
+        ptrace::step(pid_new_thread, None)?;
+        wait(pid_new_thread);
+    }
+
+    Ok(pid_new_thread.as_raw())
 }
 
 fn main() -> Result<(), Box<dyn std::error::Error>> {
@@ -262,22 +292,6 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     ptrace::step(pid, None)?;
     wait(pid);
 
-    // ↓ Old behavior, but maybe the process stay in their libraries forever ?
-
-    // loop{
-    //    // Single-stepping, so that RIP returns to the user space of the process itself,
-    //    // rather than in some other library
-    //    let regs = ptrace::getregs(pid)?;
-    //    if is_address_in_range(regs.rip, &lines)
-    //    {
-    //        println!("{GREEN}[trace]{RESET} Address: {:#016x}", regs.rip);
-    //        break;
-    //    }
-    //    println!("{GREEN}[trace]{RESET} Skipped: {:#016x}", regs.rip);
-    //    ptrace::step(pid, None)?;
-    //    waitpid(pid, None)?;
-    //}
-
     // Save context
     let regs = ptrace::getregs(pid)?; // Save current registers
     let buffer = read_memory_vm(pid, seg_x.0 as usize, 4096)?; // Save current memory context
@@ -296,7 +310,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
 
     // Do inject here
 
-    inject3(pid, seg_rw)?;
+    let c = inject3(pid, seg_rw)?;
 
     // End inject logics
 
@@ -306,6 +320,12 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     write_memory_vm(pid, seg_rw.0 as usize, &buffer_rw)?;
 
     ptrace::detach(pid, None)?;
+    ptrace::detach(Pid::from_raw(c), None)?;
+
+    let mut input = String::new();
+    std::io::stdin()
+        .read_line(&mut input)
+        .expect("Failed to read line");
 
     Ok(())
 }
diff --git a/01/project-hbj/target b/01/project-hbj/target
index 60be9d0b6ce10b31efbfd324c0e4adaad2f39d87..f8e719b14753b440e1ea168ce90b75304dbff427 100755
GIT binary patch
delta 1412
zcmZ8hZ)jUp6u&p`rOAs)me)4E)Yc`Uqw8ev<<Hh6vmse4?o|{lOeTUP#kICfSyoeA
zBxRk>Nf?u~$3OLhh}(zxwPs%wwHx9rg3wRSKVPyBO2-r|l-WYr^PKmmmYv5t=lsqe
z&b{Z{dlzcUwMIm4gqTSMOR(j+zAMs(*Fqa}ziK|oWdX?r?R=bn-mLOoSLgCerJk1m
z#O90d``yLMwG&UxXrI7UAr=l|G{?Wq%nF%$5N->-d><SZ72XZ9sBwvOD2s7;L5y%$
z^E2@h=hHCMriyP&O;+G!+bd_73qOI0_zR})M#;@ju$F|ni^Z`TZ6c2U;KoO|S~nZD
zZI!-x+={@;v?3&mKW6&~U!D69*D11^ZJT~*QeqhMF5)l+EaZqYW;cY*!l*~-ip!QY
zQ?R7t&A^<e1HSh71K0AFhq@rZH<%+@29vMs@IC;4dlcyL`U9;U)&M;0Rl2B`+f=YL
z4+;*?dW&67RkH6b5NC|MzUHF0!!sY64H$baX^c&{(RjN7Goi<x?m)aguI`GSqiCjI
z%vI5%Uvy8A$Zk}^`UUr074>(nRV1UeD>_SY-`Nu5ht2qdgK#I*!@mcwynA1mT0fn7
zUVl3`g{e%h|4|9(7jl0hFv2C|t1ladal`!=JSPuy91ofmKSsM=|5>m9u=*Z+DnFS1
zcmKAbcF!=DS|GC3w@}07?ZKR{Xo!0K#uCZZEIRJ|j#_g?7K8IKUsPqhTX-UdCORIS
z{}{$ml;=<mpqzoeST8TYNUWQe;kDSK?oITRn;*o4!0@a+P-n1Ifr!o)k%RO1;o<x6
zF}Srq%C~^4MP7nYHOc|bs(Idk>uOY<uqQ@CB03FgYW|Uk4Y5Nf$!cFWhO0C2I*e#H
z<@5GEr3j)7B;rfBowc~a;~*s-hl<$A$03nWy3V4%odsCk-c{MmVC+1c5|zYHh-6oU
zIfvJFvfn7n6=Yj>mSb<h^+XhRa4S*7dWVx5);pCPf+w-wx3HL0_>bnrzH4$n$SH;I
zHF=si6jDcJy3=EYBhL&E4i%GXQauQeS^(abhRT8C?bENnIyP3`>2BUUaE~{C>5p+f
z0h?(}F3}lAawI@Dqsi;mBf}iI8>$)2=QK3pfiE)s(rLTD*zHVudj`%d8j#JN!2`hs
z1y-{EzlYAdI0>6sO>%m&1&KpPxW8FFWN@xSbwHEi1#@964vPbM8i>ggxxBAL*MdlZ
VH*@_`DP^G%_%fH~i?EjK{ST2NA2t90

delta 1334
zcmZ8hUuYa<5dY?O_wM%6OK;P}yEMhyYn0@)-TT)xcQMynQ>2^X!v&)isU%TSiC8@F
z0*zFA^$!@5LUKb*gd%wmOML0W6&mP66`|%qB@gj06k0_{EJzA{sMxyBxBG2doMUIc
z`OR;3=VoSi_2lBoxtLaqFh@++u*Lc0d37b|dMoq4q(axgb*=%nz%f{AOhK2gb>P<*
zRu?*6D}0{(<no2j&c6O<<@`RpDCuosV)G2YlNE8!Vce9ul$`|c##_D}Xv#4Nq9#Xi
zNseJfP6KeSu_n&|9`zeI=N~`iV-k}Y*Ai)kG&nzQeJn{g<E5wR8o0CIW5jq#VAW)u
z{(!_LcpW61UluX$U!4D#s*~BIz$SN2sEjx@!Cx#A3Ev4cJyX#*pRpy5kchr8UEpcc
zf$!s<zfy8>-UPt!0#W=nur0j$5GvulK(syN(j5KsL(wMO8;s(f;I^=7x)g;>7+(%X
zLB`482&fIM<+(sTQp34O;&5k*vD?Rt?ePyBwsod>nh@)Z@-{bxJJmL8M)C9WhhJ7z
z`}+2HjT65XmiR*szvnRi6WIknU`%`TiN|?wCv(qR?-$=Q=x9y<Q4L!&#lOh0+bX0t
zUbSues&W@cwf-H|X6K2^gj>@;TGQWbe2N#eM>+xzfZ2a-`wD;X#w&EXdAo5}lbh@6
zp1K~2Q=>Yhr*sNRbhU2T_AuEh*?zLeF{yV!8i(`_7{%jyr?N?rBaO4V6dv@Z<V{74
z(b*BorTM#(7YEND_@7_K8++rhhG2|<g=0n>X7RL9f)n_a5!XyH{D8Py8E+Y-#Fo3~
zj2iJK56~hyLe)9`Iu50NqU~}ejfM1;_Ppu&uKkGW&{>Riqn3FRhcm71Jhg>|*_7C`
zBO;-SPs`EFW%4v%jCtE8f^3y%`I_09$nx;-c^2H{8n0)9P{Ym42;^}vn}Tkf${xh^
zY%5&iuOR%+wemNwh`*}PhM8Ox9^)EEbHjKwx1hcC#`t)}JoN0~z`>EMku`eo=)QA}
zrk;DyP<lH7%9zZjG>fk+iDzeVg3xu*FVF76<$NmSb#cp&zvcI<Wzpj@CJMdx8}AL^
z1WpuA(H4Ldt@l0nf_YyudU{_<^?I;|V||Ap)L8Db0Zd%(PpRFeQx~=SMt_OgkSKCJ
fRxE{H<Qq@2;lnSA`&BdNx(9Hx*bDDs;y~Ab5c&uf

diff --git a/01/project-hbj/target.cpp b/01/project-hbj/target.cpp
index 9345a20..28bda69 100644
--- a/01/project-hbj/target.cpp
+++ b/01/project-hbj/target.cpp
@@ -4,6 +4,7 @@
 #include <unistd.h>
 #include <sys/types.h>
 
+
 int main()
 {
     pid_t pid = getpid();
@@ -11,6 +12,7 @@ int main()
 
     while(true)
     {
-        sleep(0);
+        usleep(1000 * 300);
+        write(1, ".", 1);
     }
-}
\ No newline at end of file
+}