Oracle trace events hunting : Undocumented events/Filling the gaps

In my last blog post Oracle trace events hunting : dbgdChkEventIntV i talked about how we can extract events that are checked in specific oracle core function by analyzing the arguments passed to dbgdChkEventIntV function. I used for that a mapping file called dbgdChkEventIntV_event_list.txt   (Basically mapping EventId to actual Event Name)

When we analyze the mapping file we observe something :

Capture 150

The different events seems to have a sequential Event ID  (stored in an array ?)  ! So what is stored in slot 1160002,116004 ,116007 etc ? Let’s check !

Before i begin here is the scripts that we can use to check what events are checked in a specific functions (based on Franck Pachot scripts )

gdb oracle "disas $i" | awk --non-decimal-data '/mov .*,%edi$/{gsub(/[$,]/," ");a=$4}/EventRdbmsErr/{printf "dbkdChkEventRdbmsErr %d\n", a}' | sort -u
gdb oracle"disas $i" | awk --non-decimal-data '/mov .*,%.*cx$/{gsub(/[$,]/," ");a=$4}/mov .*,%.*dx$/{gsub(/[$,]/," ");b=$4}/dbgdChkEventIntV/{if(b == 18219009 ) { printf "dbgdChkEventIntV EDX:%x ECX:%x \n", b,a ; } else { printf "dbgdChkEventIntV EDX:%x \n", b ; } }' | sort -u

Example :

Capture 159

I also generated a function-event file oracle_func_event18c.txt similar to the one generated here by Yong Huang using the following script :

nm oracle | awk ‘/ [Tt] / {print $3}’ | egrep -v ‘\.|rot13|_etext|__init_array_’ > oracle.Txt.nm

for i in $(<oracle.Txt.nm); do
echo $i

gdb oracle <<<“disas $i” | awk –non-decimal-data ‘/mov .*,%edi$/{gsub(/[$,]/,” “);a=$4}/EventRdbmsErr/{printf “dbkdChkEventRdbmsErr %d\n”, a}’ | sort -u

gdb oracle <<<” disas $i” | awk –non-decimal-data ‘/mov .*,%.*cx$/{gsub(/[$,]/,” “);a=$4}/mov .*,%.*dx$/{gsub(/[$,]/,” “);b=$4}/dbgdChkEventIntV/{if(b == 18219009 ) { printf “dbgdChkEventIntV EDX:%x ECX:%x \n”, b,a ; } else { printf “dbgdChkEventIntV EDX:%x \n”, b ; } }’ | sort -u

done > oracle_func_event18c.txt

Extract from oracle_func_event18c.txt :

Capture 160

So the function adbdrv_options (alter database driver ?? http://orafun.info/ check for events :

  • Undocumented event number :10517
  • Event with ID : 0x2160011 which is using the mapping file :

Capture 162

Ok based on the generated  function-event file oracle_func_event18c.txt let’s check if there are some oracle core functions checking for an event with ID 0x1160002 (one of  the missing)

Capture 151

Ok there is ! But how to enable it ? What we gonna call it ?

I decided to take a look at the oracle executable (disable_dde_action event have an id of 0x1160003)  …. and …

Capture 152

PS:Of course there is a another approach like analyzing the function dbgfcsIlcsGetDefByName  (called from dbgdpStoreEventIdByName ) and the different memory structure  but this is an easier method 😀

Capture 161

simerr ? let’s check !

Capture 153

Great we got one ! A new event and after verification (based on function dbgfcsIlcsGetDefByName which return the eventID)  it’s ID is indeed 0x1160002.

What about event ID 0x1160004 ?

Capture 155

ams_trace event have an id of 0x1160005

Capture 154

eveppdebug ?

Capture 156

Great another one !

Basically i should fill into the blanks ! And that’s what i did 😀

And here is what the extended mapping file looks like dbgdChkEventIntV_event_list_extended.txt ( NB: This is not an exhaustive research and the mapping file is far from being complete but it may give some clue on where to start ! )

Capture 160

Extract from event filter and scope :

Capture 159

Download : dbgdChkEventIntV_event_list_extended.txt

Download : oracle_func_event18c.txt  (I will upload the file soon)

That’s it 😀

2 thoughts on “Oracle trace events hunting : Undocumented events/Filling the gaps

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s