Oracle events hunting

1. PART 2 : ORACLE EVENTS
HUNTING
HATEM MAHMOUD
HTTPS://MAHMOUDHATEM.WORDPRESS.COM
HIGH FIVE POUG
Geeking out with the WeedMan

2. 2
HOW TO BUILD AN ORACLE
EVENT MAPPING FILE
… IN 10 MIN !!

3. 3
BUILDING AN EVENT MAPPING FILES
https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt

4. 4
WHY ?

5. 5
EXTRACTING CHECKED EVENTS
https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt
Quickly extract checked events in a specific core oracle function using a simple mapping file :

6. 6
EVENT SNIFFING
https://mahmoudhatem.wordpress.com/2018/10/29/oracle-trace-events-hunting-events-annotations-events-sniffing/
Extracting “all” checked events in specific execution path : After executing select * from dual for example:
*Using Intel Pin tool debugtrace.so to trace program exécution flow

7. 7
ANNOTATING FLAME-GRAPH
https://mahmoudhatem.wordpress.com/2019/03/06/oracle-19c-event-mapping-files/

8. 8
DISCOVERING UNDOCUMENTED-UNDOCUMENETED EVENTS
https://mahmoudhatem.wordpress.com/2018/10/18/oracle-trace-events-hunting-undocumented-events-filling-the-gaps/

9. 9
AND BECAUSE IT’S FUN !!!!

10. 10
WARMING UP BEFORE THE HINTING
START :
EXTRACTING FUNCTION PARAMETER
FROM A SILLY LITTLE C PROGRAM

11. 11
HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING
CONVENTIONS
https://en.wikipedia.org/wiki/X86_calling_conventions
System V AMD64 ABI (Is followed on Solaris, Linux, FreeBSD, macOS)
• “The first six integer or pointer arguments are passed in registers RDI, RSI, RDX, RCX, R8, R9
(R10 is used as a static chain pointer in case of nested functions[19]:21), while XMM0, XMM1, XMM2,
XMM3, XMM4, XMM5, XMM6 and XMM7 are used for certain floating point arguments.[19]:22 As in the
Microsoft x64 calling convention, additional arguments are passed on the stack.”

12. 12
HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING
CONVENTIONS
https://mahmoudhatem.wordpress.com/2016/10/10/reverse-engineering-what-we-need-to-know-as-a-dba/
int add_value(int a,int b ,int c,int d,int e,int f,int g);
int main()
{
printf ("%dn", add_value(1,2,3,4,5,6,7));
return 0;
};

13. 13
HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING
CONVENTIONS
https://mahmoudhatem.wordpress.com/2016/10/10/reverse-engineering-what-we-need-to-know-as-a-dba/

14. 14
TIME TO LOOK AT THE BIG O : EVENT HUNTING
ORACLE IT'S AFTER ALL ONLY A HUGE C
PROGRAM WITH ABOUT 25 MILLION LINE OF
CODE .. THAT’S IT !
https://news.ycombinator.com/item?id=18442941

15. 15
NUMERIC EVENTS (KS*/DBKD*)
Oracle kernel function
First argument as stored in Register RDI
Function used to check for enabled events

16. 16
EVENTS++/UTS (DBG*)
Third argument
Forth argument
EventId to Event/componenent names ?
Function used to check for enabled events

17. 17
EVENTS++/UTS (DBG*)
https://mahmoudhatem.wordpress.com/2018/10/05/write-consistency-and-dml-restart/
Start with a known case

18. 18
EVENTS++/UTS (DBG*)
• Tracing process execution using Intel Pin tools debugtrace.so
 dbgdpStoreEventIdByName  dbgfcsIlcsGetDefByName return the Event Id
• Enable DML UTS trace event

19. 19
EVENTS++/UTS (DBG*)

20. 20
EVENT NAME TO EVENT_ID MAPPING FILE
https://github.com/hatem-mahmoud/scripts/blob/master/dbgdChkEventIntV_event_list_extended19c.txt

21. 21
KERNEL FUNCTION TO EVENT NAME MAPPING FILE
https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt

22. 22
THANK YOU FOR YOUR
ATTENTION
https://mahmoudhatem.wordpress.com
@Hatem__Mahmoud
https://linkedin.com/in/mahmoudhatemoracle