In my last blog post Oracle trace events hunting : dbgdChkEventIntV i talked about how we can extract events that are checked in specific oracle core function by analyzing the arguments passed to dbgdChkEventIntV function. I used for that a mapping file called dbgdChkEventIntV_event_list.txt (Basically mapping EventId to actual Event Name)
When we analyze the mapping file we observe something :
The different events seems to have a sequential Event ID (stored in an array ?) ! So what is stored in slot 1160002,116004 ,116007 etc ? Let’s check !
Before i begin here is the scripts that we can use to check what events are checked in a specific functions (based on Franck Pachot scripts )
gdb oracle "disas $i" | awk --non-decimal-data '/mov .*,%edi$/{gsub(/[$,]/," ");a=$4}/EventRdbmsErr/{printf "dbkdChkEventRdbmsErr %d\n", a}' | sort -u
gdb oracle"disas $i" | awk --non-decimal-data '/mov .*,%.*cx$/{gsub(/[$,]/," ");a=$4}/mov .*,%.*dx$/{gsub(/[$,]/," ");b=$4}/dbgdChkEventIntV/{if(b == 18219009 ) { printf "dbgdChkEventIntV EDX:%x ECX:%x \n", b,a ; } else { printf "dbgdChkEventIntV EDX:%x \n", b ; } }' | sort -u
Example :
I also generated a function-event file oracle_func_event18c.txt similar to the one generated here by Yong Huang using the following script :
nm oracle | awk ‘/ [Tt] / {print $3}’ | egrep -v ‘\.|rot13|_etext|__init_array_’ > oracle.Txt.nm
for i in $(<oracle.Txt.nm); do
echo $i
gdb oracle <<<“disas $i” | awk –non-decimal-data ‘/mov .*,%edi$/{gsub(/[$,]/,” “);a=$4}/EventRdbmsErr/{printf “dbkdChkEventRdbmsErr %d\n”, a}’ | sort -u
gdb oracle <<<” disas $i” | awk –non-decimal-data ‘/mov .*,%.*cx$/{gsub(/[$,]/,” “);a=$4}/mov .*,%.*dx$/{gsub(/[$,]/,” “);b=$4}/dbgdChkEventIntV/{if(b == 18219009 ) { printf “dbgdChkEventIntV EDX:%x ECX:%x \n”, b,a ; } else { printf “dbgdChkEventIntV EDX:%x \n”, b ; } }’ | sort -u
done > oracle_func_event18c.txt
Extract from oracle_func_event18c.txt :
So the function adbdrv_options (alter database driver ?? http://orafun.info/ ) check for events :
- Undocumented event number :10517
- Event with ID : 0x2160011 which is using the mapping file :
Ok based on the generated function-event file oracle_func_event18c.txt let’s check if there are some oracle core functions checking for an event with ID 0x1160002 (one of the missing)
Ok there is ! But how to enable it ? What we gonna call it ?
I decided to take a look at the oracle executable (disable_dde_action event have an id of 0x1160003) …. and …
PS:Of course there is a another approach like analyzing the function dbgfcsIlcsGetDefByName (called from dbgdpStoreEventIdByName ) and the different memory structure but this is an easier method 😀
simerr ? let’s check !
Great we got one ! A new event and after verification (based on function dbgfcsIlcsGetDefByName which return the eventID) it’s ID is indeed 0x1160002.
What about event ID 0x1160004 ?
ams_trace event have an id of 0x1160005
eveppdebug ?
Great another one !
Basically i should fill into the blanks ! And that’s what i did 😀
And here is what the extended mapping file looks like dbgdChkEventIntV_event_list_extended.txt ( NB: This is not an exhaustive research and the mapping file is far from being complete but it may give some clue on where to start ! )
Extract from event filter and scope :
Download : dbgdChkEventIntV_event_list_extended.txt
Download : oracle_func_event18c.txt (I will upload the file soon)
That’s it 😀
Hatem Mahmoud's blog 
[…] This is my third blog post about Oracle trace events hunting.For the previous one please check part1 and part2. […]
[…] Oracle trace events hunting : Undocumented events/Filling the gaps […]