This document discusses building an Oracle event mapping file to extract checked events from specific Oracle functions in 10 minutes. It covers extracting function parameters from C programs using x86-64 calling conventions, tracing Oracle execution flows using Intel Pin tools to discover undocumented events, and creating mapping files between event names and IDs and kernel functions and events. The goal is to help with Oracle event hunting by mapping functions to events.

1. PART 2 : ORACLE EVENTS
HUNTING
HATEM MAHMOUD
HTTPS://MAHMOUDHATEM.WORDPRESS.COM
HIGH FIVE POUG
Geeking out with the WeedMan

2. 2
HOW TO BUILD AN ORACLE
EVENT MAPPING FILE
… IN 10 MIN !!

3. 3
BUILDING AN EVENT MAPPING FILES
https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt

4. 4
WHY ?

5. 5
EXTRACTING CHECKED EVENTS
https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt
Quickly extract checked events in a specific core oracle function using a simple mapping file :

6. 6
EVENT SNIFFING
https://mahmoudhatem.wordpress.com/2018/10/29/oracle-trace-events-hunting-events-annotations-events-sniffing/
Extracting “all” checked events in specific execution path : After executing select * from dual for example:
*Using Intel Pin tool debugtrace.so to trace program exécution flow

7. 7
ANNOTATING FLAME-GRAPH
https://mahmoudhatem.wordpress.com/2019/03/06/oracle-19c-event-mapping-files/

8. 8
DISCOVERING UNDOCUMENTED-UNDOCUMENETED EVENTS
https://mahmoudhatem.wordpress.com/2018/10/18/oracle-trace-events-hunting-undocumented-events-filling-the-gaps/

9. 9
AND BECAUSE IT’S FUN !!!!

10. 10
WARMING UP BEFORE THE HINTING
START :
EXTRACTING FUNCTION PARAMETER
FROM A SILLY LITTLE C PROGRAM

11. 11
HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING
CONVENTIONS
https://en.wikipedia.org/wiki/X86_calling_conventions
System V AMD64 ABI (Is followed on Solaris, Linux, FreeBSD, macOS)
• “The first six integer or pointer arguments are passed in registers RDI, RSI, RDX, RCX, R8, R9
(R10 is used as a static chain pointer in case of nested functions[19]:21), while XMM0, XMM1, XMM2,
XMM3, XMM4, XMM5, XMM6 and XMM7 are used for certain floating point arguments.[19]:22 As in the
Microsoft x64 calling convention, additional arguments are passed on the stack.”

12. 12
HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING
CONVENTIONS
https://mahmoudhatem.wordpress.com/2016/10/10/reverse-engineering-what-we-need-to-know-as-a-dba/
int add_value(int a,int b ,int c,int d,int e,int f,int g);
int main()
{
printf ("%dn", add_value(1,2,3,4,5,6,7));
return 0;
};

13. 13
HOW FUNCTION PARAMETERS ARE PASSED : X86-64 CALLING
CONVENTIONS
https://mahmoudhatem.wordpress.com/2016/10/10/reverse-engineering-what-we-need-to-know-as-a-dba/

14. 14
TIME TO LOOK AT THE BIG O : EVENT HUNTING
ORACLE IT'S AFTER ALL ONLY A HUGE C
PROGRAM WITH ABOUT 25 MILLION LINE OF
CODE .. THAT’S IT !
https://news.ycombinator.com/item?id=18442941

15. 15
NUMERIC EVENTS (KS*/DBKD*)
Oracle kernel function
First argument as stored in Register RDI
Function used to check for enabled events

16. 16
EVENTS++/UTS (DBG*)
Third argument
Forth argument
EventId to Event/componenent names ?
Function used to check for enabled events

17. 17
EVENTS++/UTS (DBG*)
https://mahmoudhatem.wordpress.com/2018/10/05/write-consistency-and-dml-restart/
Start with a known case

18. 18
EVENTS++/UTS (DBG*)
• Tracing process execution using Intel Pin tools debugtrace.so
 dbgdpStoreEventIdByName  dbgfcsIlcsGetDefByName return the Event Id
• Enable DML UTS trace event

19. 19
EVENTS++/UTS (DBG*)

20. 20
EVENT NAME TO EVENT_ID MAPPING FILE
https://github.com/hatem-mahmoud/scripts/blob/master/dbgdChkEventIntV_event_list_extended19c.txt

21. 21
KERNEL FUNCTION TO EVENT NAME MAPPING FILE
https://github.com/hatem-mahmoud/scripts/blob/master/oracle_function_to_event_mapping19c.txt

22. 22
THANK YOU FOR YOUR
ATTENTION
https://mahmoudhatem.wordpress.com
@Hatem__Mahmoud
https://linkedin.com/in/mahmoudhatemoracle