Re: New tool: ddldump

From: Guillermo Alan Bort <>
Date: Mon, 28 Jun 2010 22:37:11 -0300
Message-ID: <>

Hey David,

   Nice tool, looks very interesting. Does it work on archived redolg files? I'll try it in my toy DBs this week... :-) I'd love to do it in productive ones, as it works on redo, I'm guessing it has no direct impact on the DB... is the source code available?


On Mon, Jun 28, 2010 at 9:50 PM, David Litchfield <> wrote:

> Hey all,
> As part of a larger project, I've written a small tool called ddldump that
> parses Oracle redolog files and dumps any DDL statements in an XML format.
> ddldump has been developed with forensic investigations in mind but can of
> course be simply used by DBAs to peruse the DDL in their logs. You can
> download it from
> Cheers,
> David Litchfield
> v3rity Ltd
> C:\app\david\oradata\orcl11g>ddldump REDO01.log ddl
> <?xml version="1.0"?>
> <LOG>
> <database_sid>ORCL11G</database_sid>
> <version>11.1</version>
> <ltimestamp>01/02/2010 15:26:02</ltimestamp>
> <blocksize>512</blocksize>
> <nab>234</nab>
> <lowscn>3977649</lowscn>
> <nextscn>3977776</nextscn>
> <TIMESTAMP>04/03/2010 01:16:34</TIMESTAMP>
> <SQL_STATETMENT>create user hax0r identified by VALUES '9A3502887F7210C4'
> <SCHEMA>hax0r</SCHEMA>
> </ENTRY>
> </LOG>
> C:\>
> RDRCOFST is the hexadecimal offset into the redolog file where the redo
> entry containing the DDL statement can be found
> CHVCOFST is the hexadecimal offset into the redolog file where the change
> vector containing the DDL statement can be found
> TIMESTAMP is the time and date when the redo entry was written to the log
> file.
> SESSION_USER is the user that is logged on and initiated the DDL statement
> CURRENT_USER is the user under whose authority the DDL actually executes.
> If session_user and current_user are different it could be indicitive of a
> SQL injection attack.
> SQL_STATEMENT is the DDL that was executed.
> SCHEMA, if present, is the schema upon which the DDL acts.
> OBJECT, if present, is the object upon which the DDL acts.
> --

Received on Mon Jun 28 2010 - 20:37:11 CDT

Original text of this message