Seeing All the System Calls That Were Made by a Java Program

Seeing all the system calls that were made by a Java program

Use strace:

strace -f java your_program

strace -f -p <pid of your java program>

How to check if C++ source has any system/shell calls in it?

In short, you cannot detect reliably all malicious syscalls (by static analysis of source code); read about the halting problem and Rice theorem... BTW MELT would be slighty better than grep since it works on GCC gimple representation.

Think of (on Linux)

dlopen(3)-ing the libc (or the main executable) then dlsym-ing "system" to get a pointer to the system function
knowing the libc layout and version,, then computing system's address by adding some known offset to address of malloc
using some JIT libary, e.g. the header only GNU lightning
coding the eqivalent of system with fork and execve ....
etc....

Of course, you might be trusting your user (I won't do that for a web application). If you trust all your users and just want to detect mistakes you might be able to filter some of them.

You need some container, e.g. docker

strace on two instances of java

By default, the program strace does not trace child processes. However, the Java VM creates early in the process a child process for the actual work. That's the reason, why the two different programs generate the same result when invoked with strace.

To also trace child processes, use the option -f to strace, i.e.:

strace -f java Hello

How can I get the complete Call Hierarchy of a Java source code?

If you want to make any source code changes/refactoring you will have to manually find all usages and apply your code changes;

Any way, I have two different aproach

Static search
You can simply do Text Search in eclipse to find the occurance of getA2() . It will directly take you to the Caller method (here CBusinessObject.verifyA()) -but it will give you every getA2() occurances, may be from different class
Run time search
Use java instrumentation API to change the byte code at run time on your required method to find invoking class and run as java agent - Enable you to identify the caller with out touching the existing code base and very useful especially when you don't have access to source code.

Here you go how to implement

Step 1- Write Agent main class to initiate instrumentation

public class BasicAgent {
                public static void premain(String agentArguments, Instrumentation instrumentation){
                    System.out.println("Simple Agent");
                    FindUsageTransformer transformer = new FindUsageTransformer ();
                    instrumentation.addTransformer(transformer,true);
                }
            }

Step 2 -Write a ClassFileTransformer implementation and capture the method

public class FindUsageTransformer implements ClassFileTransformer{

        Class clazz = null;
        public byte[] transform(ClassLoader loader,String className,Class<?>  classBeingRedefined,  ProtectionDomain    protectionDomain,
                byte[]              classfileBuffer)    throws IllegalClassFormatException {
            if(className.equals("A")){
                doClass(className, classBeingRedefined, classfileBuffer);
            }
            return classfileBuffer;
        }
        private byte[] doClass(String name, Class clazz, byte[] b) {
            ClassPool pool = ClassPool.getDefault();
            CtClass cl = null;
            try {
              cl = pool.makeClass(new java.io.ByteArrayInputStream(b));
              CtMethod method =  cl.getDeclaredMethod("getA2");
              // here you have lot of options to explore
              method.insertBefore("System.out.println(Thread.currentThread().getStackTrace()[0].getClassName()+ Thread.currentThread().getStackTrace()[0].getMethodName());");
              b = cl.toBytecode();
            } catch (Exception e) {
              System.err.println("Could not instrument  " + name
                  + ",  exception : " + e.getMessage());
            } finally {
              if (cl != null) {
                cl.detach();
              }
            }
            return b;
          }

Step 3- create jar file for agent classes ( you have to set manifest file with premain class, and add javaassit jar) snippet of build file is given - you can do it by manually as well

<jar destfile="build/jar/BasicAgent.jar" basedir="build/classes">
                <manifest>
                    <attribute name="Manifest-Version" value="1.0"/>
                    <attribute name="Premain-Class" value="com.sk.agent.basic.BasicAgent"/>
                    <attribute name="Boot-Class-Path" value="../lib/javassist.jar"/>
                </manifest>
            </jar>

Step 4- Run your main application with java agent - before that set VM arguments to load agent

            -`javaagent:D:\softwares\AgentProject\AgentLib\build\jar\BasicAgent.jar`

Pre requisite : you would need javassist.jar in the class path.

Seeing All the System Calls That Were Made by a Java Program