Oracle events hunting [POUG19]
Download as PPTX, PDF1 like860 views
This document discusses building Oracle event mapping files to extract checked events from specific Oracle functions in 10 minutes. It explains how function parameters are passed in x86-64 calling conventions and traces a C program's execution flow using Intel Pin tools to discover undocumented events. The document promotes event hunting in Oracle as it is essentially a huge C program and provides links to event name to ID mapping files and kernel function to event mapping files to facilitate tracing Oracle events.
![11
HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING
CONVENTIONS
https://en.wikipedia.org/wiki/X86_calling_conventions
System V AMD64 ABI (Is followed on Solaris, Linux, FreeBSD, macOS)
• “The first six integer or pointer arguments are passed in registers RDI, RSI, RDX, RCX, R8, R9
(R10 is used as a static chain pointer in case of nested functions[19]:21), while XMM0, XMM1, XMM2,
XMM3, XMM4, XMM5, XMM6 and XMM7 are used for certain floating point arguments.[19]:22 As in the
Microsoft x64 calling convention, additional arguments are passed on the stack.”](https://image.slidesharecdn.com/oracleeventshunting-190909105308/85/Oracle-events-hunting-POUG19-11-320.jpg)
Oracle events hunting [POUG19]
- 1. PART 2 : ORACLE EVENTS HUNTING HATEM MAHMOUD HTTPS://MAHMOUDHATEM.WORDPRESS.COM HIGH FIVE POUG Geeking out with the WeedMan
- 2. 2 HOW TO BUILD AN ORACLE EVENT MAPPING FILE … IN 10 MIN !!
- 3. 3 BUILDING AN EVENT MAPPING FILES https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt
- 4. 4 WHY ?
- 5. 5 EXTRACTING CHECKED EVENTS https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt Quickly extract checked events in a specific core oracle function using a simple mapping file :
- 6. 6 EVENT SNIFFING https://mahmoudhatem.wordpress.com/2018/10/29/oracle-trace-events-hunting-events-annotations-events-sniffing/ Extracting “all” checked events in specific execution path : After executing select * from dual for example: *Using Intel Pin tool debugtrace.so to trace program exécution flow
- 9. 9 AND BECAUSE IT’S FUN !!!!
- 10. 10 WARMING UP BEFORE THE HINTING START : EXTRACTING FUNCTION PARAMETER FROM A SILLY LITTLE C PROGRAM
- 11. 11 HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING CONVENTIONS https://en.wikipedia.org/wiki/X86_calling_conventions System V AMD64 ABI (Is followed on Solaris, Linux, FreeBSD, macOS) • “The first six integer or pointer arguments are passed in registers RDI, RSI, RDX, RCX, R8, R9 (R10 is used as a static chain pointer in case of nested functions[19]:21), while XMM0, XMM1, XMM2, XMM3, XMM4, XMM5, XMM6 and XMM7 are used for certain floating point arguments.[19]:22 As in the Microsoft x64 calling convention, additional arguments are passed on the stack.”
- 12. 12 HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING CONVENTIONS https://mahmoudhatem.wordpress.com/2016/10/10/reverse-engineering-what-we-need-to-know-as-a-dba/ int add_value(int a,int b ,int c,int d,int e,int f,int g); int main() { printf ("%dn", add_value(1,2,3,4,5,6,7)); return 0; };
- 13. 13 HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING CONVENTIONS https://mahmoudhatem.wordpress.com/2016/10/10/reverse-engineering-what-we-need-to-know-as-a-dba/
- 14. 14 TIME TO LOOK AT THE BIG O : EVENT HUNTING ORACLE IT'S AFTER ALL ONLY A HUGE C PROGRAM WITH ABOUT 25 MILLION LINE OF CODE .. THAT’S IT ! https://news.ycombinator.com/item?id=18442941
- 15. 15 NUMERIC EVENTS (KS*/DBKD*) Oracle kernel function First argument as stored in Register RDI Function used to check for enabled events
- 16. 16 EVENTS++/UTS (DBG*) Third argument Forth argument EventId to Event/componenent names ? Function used to check for enabled events
- 17. 17 EVENTS++/UTS (DBG*) https://mahmoudhatem.wordpress.com/2018/10/05/write-consistency-and-dml-restart/ Start with a known case
- 18. 18 EVENTS++/UTS (DBG*) • Tracing process execution using Intel Pin tools debugtrace.so dbgdpStoreEventIdByName dbgfcsIlcsGetDefByName return the Event Id • Enable DML UTS trace event
- 20. 20 EVENT NAME TO EVENT_ID MAPPING FILE https://github.com/hatem-mahmoud/scripts/blob/master/dbgdChkEventIntV_event_list_extended19c.txt
- 21. 21 KERNEL FUNCTION TO EVENT NAME MAPPING FILE https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt
- 22. 22 THANK YOU FOR YOUR ATTENTION https://mahmoudhatem.wordpress.com @Hatem__Mahmoud https://linkedin.com/in/mahmoudhatemoracle
Editor's Notes
- #12: This article describes the calling conventions used when programming x86 architecture microprocessors. In computer software, an application binary interface (ABI) is an interface between two binary program modules; often, one of these modules is a library or operating system facility, and the other is a program that is being run by a user.
- #13: This article describes the calling conventions used when programming x86 architecture microprocessors.
- #14: This article describes the calling conventions used when programming x86 architecture microprocessors.
- #16: We know how to extract the trace events number from the old ksdpec function (kernel service debug internal errors parser post event and check trigger condition using http://orafun.info/ of course 😀 ) thank to Dennis Yurichev see here and here. We also know how to extract it from dbkdChkEventRdbmsErr (DB kernel debug check event of RDBMS error) thanks to Yong Huang see here.
- #17: This article describes the calling conventions used when programming x86 architecture microprocessors.
- #18: This article describes the calling conventions used when programming x86 architecture microprocessors.
- #19: This article describes the calling conventions used when programming x86 architecture microprocessors.