Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Oracle events hunting [POUG19]

190 vues

Publié le

Oracle events hunting

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Oracle events hunting [POUG19]

  1. 1. PART 2 : ORACLE EVENTS HUNTING HATEM MAHMOUD HTTPS://MAHMOUDHATEM.WORDPRESS.COM HIGH FIVE POUG Geeking out with the WeedMan
  2. 2. 2 HOW TO BUILD AN ORACLE EVENT MAPPING FILE … IN 10 MIN !!
  3. 3. 3 BUILDING AN EVENT MAPPING FILES https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt
  4. 4. 4 WHY ?
  5. 5. 5 EXTRACTING CHECKED EVENTS https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt Quickly extract checked events in a specific core oracle function using a simple mapping file :
  6. 6. 6 EVENT SNIFFING https://mahmoudhatem.wordpress.com/2018/10/29/oracle-trace-events-hunting-events-annotations-events-sniffing/ Extracting “all” checked events in specific execution path : After executing select * from dual for example: *Using Intel Pin tool debugtrace.so to trace program exécution flow
  7. 7. 7 ANNOTATING FLAME-GRAPH https://mahmoudhatem.wordpress.com/2019/03/06/oracle-19c-event-mapping-files/
  8. 8. 8 DISCOVERING UNDOCUMENTED-UNDOCUMENETED EVENTS https://mahmoudhatem.wordpress.com/2018/10/18/oracle-trace-events-hunting-undocumented-events-filling-the-gaps/
  9. 9. 9 AND BECAUSE IT’S FUN !!!!
  10. 10. 10 WARMING UP BEFORE THE HINTING START : EXTRACTING FUNCTION PARAMETER FROM A SILLY LITTLE C PROGRAM
  11. 11. 11 HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING CONVENTIONS https://en.wikipedia.org/wiki/X86_calling_conventions System V AMD64 ABI (Is followed on Solaris, Linux, FreeBSD, macOS) • “The first six integer or pointer arguments are passed in registers RDI, RSI, RDX, RCX, R8, R9 (R10 is used as a static chain pointer in case of nested functions[19]:21), while XMM0, XMM1, XMM2, XMM3, XMM4, XMM5, XMM6 and XMM7 are used for certain floating point arguments.[19]:22 As in the Microsoft x64 calling convention, additional arguments are passed on the stack.”
  12. 12. 12 HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING CONVENTIONS https://mahmoudhatem.wordpress.com/2016/10/10/reverse-engineering-what-we-need-to-know-as-a-dba/ int add_value(int a,int b ,int c,int d,int e,int f,int g); int main() { printf ("%dn", add_value(1,2,3,4,5,6,7)); return 0; };
  13. 13. 13 HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING CONVENTIONS https://mahmoudhatem.wordpress.com/2016/10/10/reverse-engineering-what-we-need-to-know-as-a-dba/
  14. 14. 14 TIME TO LOOK AT THE BIG O : EVENT HUNTING ORACLE IT'S AFTER ALL ONLY A HUGE C PROGRAM WITH ABOUT 25 MILLION LINE OF CODE .. THAT’S IT ! https://news.ycombinator.com/item?id=18442941
  15. 15. 15 NUMERIC EVENTS (KS*/DBKD*) Oracle kernel function First argument as stored in Register RDI Function used to check for enabled events
  16. 16. 16 EVENTS++/UTS (DBG*) Third argument Forth argument EventId to Event/componenent names ? Function used to check for enabled events
  17. 17. 17 EVENTS++/UTS (DBG*) https://mahmoudhatem.wordpress.com/2018/10/05/write-consistency-and-dml-restart/ Start with a known case
  18. 18. 18 EVENTS++/UTS (DBG*) • Tracing process execution using Intel Pin tools debugtrace.so  dbgdpStoreEventIdByName  dbgfcsIlcsGetDefByName return the Event Id • Enable DML UTS trace event
  19. 19. 19 EVENTS++/UTS (DBG*)
  20. 20. 20 EVENT NAME TO EVENT_ID MAPPING FILE https://github.com/hatem-mahmoud/scripts/blob/master/dbgdChkEventIntV_event_list_extended19c.txt
  21. 21. 21 KERNEL FUNCTION TO EVENT NAME MAPPING FILE https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt
  22. 22. 22 THANK YOU FOR YOUR ATTENTION https://mahmoudhatem.wordpress.com @Hatem__Mahmoud https://linkedin.com/in/mahmoudhatemoracle

×