This document discusses building an Oracle event mapping file to extract checked events from specific Oracle functions in 10 minutes. It covers extracting function parameters from C programs using x86-64 calling conventions, tracing Oracle execution flows using Intel Pin tools to discover undocumented events, and creating mapping files between event names and IDs and kernel functions and events. The goal is to help with Oracle event hunting by mapping functions to events.
10. 10
WARMING UP BEFORE THE HINTING
START :
EXTRACTING FUNCTION PARAMETER
FROM A SILLY LITTLE C PROGRAM
11. 11
HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING
CONVENTIONS
https://en.wikipedia.org/wiki/X86_calling_conventions
System V AMD64 ABI (Is followed on Solaris, Linux, FreeBSD, macOS)
• “The first six integer or pointer arguments are passed in registers RDI, RSI, RDX, RCX, R8, R9
(R10 is used as a static chain pointer in case of nested functions[19]:21), while XMM0, XMM1, XMM2,
XMM3, XMM4, XMM5, XMM6 and XMM7 are used for certain floating point arguments.[19]:22 As in the
Microsoft x64 calling convention, additional arguments are passed on the stack.”
12. 12
HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING
CONVENTIONS
https://mahmoudhatem.wordpress.com/2016/10/10/reverse-engineering-what-we-need-to-know-as-a-dba/
int add_value(int a,int b ,int c,int d,int e,int f,int g);
int main()
{
printf ("%dn", add_value(1,2,3,4,5,6,7));
return 0;
};
13. 13
HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING
CONVENTIONS
https://mahmoudhatem.wordpress.com/2016/10/10/reverse-engineering-what-we-need-to-know-as-a-dba/
14. 14
TIME TO LOOK AT THE BIG O : EVENT HUNTING
ORACLE IT'S AFTER ALL ONLY A HUGE C
PROGRAM WITH ABOUT 25 MILLION LINE OF
CODE .. THAT’S IT !
https://news.ycombinator.com/item?id=18442941