diff --git a/thirdparty/yara/ReadMe.txt b/thirdparty/yara/ReadMe.txt
new file mode 100755
index 0000000000..31f38633b4
--- /dev/null
+++ b/thirdparty/yara/ReadMe.txt
@@ -0,0 +1,39 @@
+This folder contains the projects you need for building and testing the yarabridge.dll and YaraJNIWrapper.jar.
+
+bin:
+Contains the built dll and jar.
+
+yarabridge:
+VS project to create the dll that wraps the the libyara library.
+
+YaraJNIWrapper:
+Simple jar file that contains the native JNI methods for accessing the yarabridge.dll.
+
+
+Steps for building yarabridge, YaraJNIWrapper and YaraWrapperTest.
+
+1. Clone the yara repo at the same level as you have the autopsy repo. https://github.com/VirusTotal/yara
+2. Build libyara:
+ - Open the project yara/windows/2015/yara.sln
+ - Build Release x64.
+3. Open the yarabridge project and build Release x64.
+ -If you have link issues, make sure you build release x64 in the previous step.
+ -This project will automatically copy the built dll to the bin folder.
+4. Build YaraJNIWrapper
+ - Open in netbeans and select Build.
+ - Manually move the newly build jar file to the bin folder. After building the jar file can be found in
+ yara/YaraJNIWrapper/dist/
+ - Any matching rules will appear on the CL or the output of the project.
+5. Test
+ - Open the YaraWrapperTest
+ - In the Run Properties you need to specify the path to a compiled yara rule file and a file to search.
+ There are sample files in YaraWrapperTest\resources.
+ - If you would like to make your own compiled rule file you can use the yarac tool that can be found
+ in yara/windows/vs2015/Release, if its not there go back to the yara project and build all of the
+ projects.
+
+Troubleshooting:
+- When building libyara make sure that you are building the vs2015 project (There is a vs2017 project too).
+ The paths in the yarabrige package are relative, but assume
+ that you are building the release version of the dll with the vs2015 project.
+- Don't forget to move the YaraJNIWrapper.jar after you build it.
diff --git a/thirdparty/yara/YaraJNIWrapper/build.xml b/thirdparty/yara/YaraJNIWrapper/build.xml
new file mode 100755
index 0000000000..b1000f923d
--- /dev/null
+++ b/thirdparty/yara/YaraJNIWrapper/build.xml
@@ -0,0 +1,73 @@
+
+
+
+
+
+
+
+
+
+
+ Builds, tests, and runs the project YaraJNIWrapper.
+
+
+
diff --git a/thirdparty/yara/YaraJNIWrapper/nbproject/build-impl.xml b/thirdparty/yara/YaraJNIWrapper/nbproject/build-impl.xml
new file mode 100755
index 0000000000..38dd8d0c87
--- /dev/null
+++ b/thirdparty/yara/YaraJNIWrapper/nbproject/build-impl.xml
@@ -0,0 +1,1770 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must set src.dir
+ Must set test.src.dir
+ Must set build.dir
+ Must set dist.dir
+ Must set build.classes.dir
+ Must set dist.javadoc.dir
+ Must set build.test.classes.dir
+ Must set build.test.results.dir
+ Must set build.classes.excludes
+ Must set dist.jar
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must set javac.includes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ No tests executed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must set JVM to use for profiling in profiler.info.jvm
+ Must set profiler agent JVM arguments in profiler.info.jvmargs.agent
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select some files in the IDE or set javac.includes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ To run this application from the command line without Ant, try:
+
+ java -jar "${dist.jar.resolved}"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set run.class
+
+
+
+ Must select one file in the IDE or set run.class
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set debug.class
+
+
+
+
+ Must select one file in the IDE or set debug.class
+
+
+
+
+ Must set fix.includes
+
+
+
+
+
+
+
+
+
+ This target only works when run from inside the NetBeans IDE.
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set profile.class
+ This target only works when run from inside the NetBeans IDE.
+
+
+
+
+
+
+
+
+ This target only works when run from inside the NetBeans IDE.
+
+
+
+
+
+
+
+
+
+
+
+
+ This target only works when run from inside the NetBeans IDE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set run.class
+
+
+
+
+
+ Must select some files in the IDE or set test.includes
+
+
+
+
+ Must select one file in the IDE or set run.class
+
+
+
+
+ Must select one file in the IDE or set applet.url
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select some files in the IDE or set javac.includes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Some tests failed; see details above.
+
+
+
+
+
+
+
+
+ Must select some files in the IDE or set test.includes
+
+
+
+ Some tests failed; see details above.
+
+
+
+ Must select some files in the IDE or set test.class
+ Must select some method in the IDE or set test.method
+
+
+
+ Some tests failed; see details above.
+
+
+
+
+ Must select one file in the IDE or set test.class
+
+
+
+ Must select one file in the IDE or set test.class
+ Must select some method in the IDE or set test.method
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set applet.url
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set applet.url
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/thirdparty/yara/YaraJNIWrapper/nbproject/private/private.xml b/thirdparty/yara/YaraJNIWrapper/nbproject/private/private.xml
new file mode 100755
index 0000000000..475096252c
--- /dev/null
+++ b/thirdparty/yara/YaraJNIWrapper/nbproject/private/private.xml
@@ -0,0 +1,4 @@
+
+
+
+
diff --git a/thirdparty/yara/YaraJNIWrapper/nbproject/project.properties b/thirdparty/yara/YaraJNIWrapper/nbproject/project.properties
new file mode 100755
index 0000000000..a0ef4dac37
--- /dev/null
+++ b/thirdparty/yara/YaraJNIWrapper/nbproject/project.properties
@@ -0,0 +1,93 @@
+annotation.processing.enabled=true
+annotation.processing.enabled.in.editor=false
+annotation.processing.processor.options=
+annotation.processing.processors.list=
+annotation.processing.run.all.processors=true
+annotation.processing.source.output=${build.generated.sources.dir}/ap-source-output
+build.classes.dir=${build.dir}/classes
+build.classes.excludes=**/*.java,**/*.form
+# This directory is removed when the project is cleaned:
+build.dir=build
+build.generated.dir=${build.dir}/generated
+build.generated.sources.dir=${build.dir}/generated-sources
+# Only compile against the classpath explicitly listed here:
+build.sysclasspath=ignore
+build.test.classes.dir=${build.dir}/test/classes
+build.test.results.dir=${build.dir}/test/results
+# Uncomment to specify the preferred debugger connection transport:
+#debug.transport=dt_socket
+debug.classpath=\
+ ${run.classpath}
+debug.modulepath=\
+ ${run.modulepath}
+debug.test.classpath=\
+ ${run.test.classpath}
+debug.test.modulepath=\
+ ${run.test.modulepath}
+# Files in build.classes.dir which should be excluded from distribution jar
+dist.archive.excludes=
+# This directory is removed when the project is cleaned:
+dist.dir=dist
+dist.jar=${dist.dir}/YaraJNIWrapper.jar
+dist.javadoc.dir=${dist.dir}/javadoc
+dist.jlink.dir=${dist.dir}/jlink
+dist.jlink.output=${dist.jlink.dir}/YaraJNIWrapper
+excludes=
+includes=**
+jar.compress=false
+javac.classpath=
+# Space-separated list of extra javac options
+javac.compilerargs=
+javac.deprecation=false
+javac.external.vm=true
+javac.modulepath=
+javac.processormodulepath=
+javac.processorpath=\
+ ${javac.classpath}
+javac.source=1.8
+javac.target=1.8
+javac.test.classpath=\
+ ${javac.classpath}:\
+ ${build.classes.dir}
+javac.test.modulepath=\
+ ${javac.modulepath}
+javac.test.processorpath=\
+ ${javac.test.classpath}
+javadoc.additionalparam=
+javadoc.author=false
+javadoc.encoding=${source.encoding}
+javadoc.html5=false
+javadoc.noindex=false
+javadoc.nonavbar=false
+javadoc.notree=false
+javadoc.private=false
+javadoc.splitindex=true
+javadoc.use=true
+javadoc.version=false
+javadoc.windowtitle=
+# The jlink additional root modules to resolve
+jlink.additionalmodules=
+# The jlink additional command line parameters
+jlink.additionalparam=
+jlink.launcher=true
+jlink.launcher.name=YaraJNIWrapper
+meta.inf.dir=${src.dir}/META-INF
+mkdist.disabled=true
+platform.active=default_platform
+run.classpath=\
+ ${javac.classpath}:\
+ ${build.classes.dir}
+# Space-separated list of JVM arguments used when running the project.
+# You may also define separate properties like run-sys-prop.name=value instead of -Dname=value.
+# To set system properties for unit tests define test-sys-prop.name=value:
+run.jvmargs=
+run.modulepath=\
+ ${javac.modulepath}
+run.test.classpath=\
+ ${javac.test.classpath}:\
+ ${build.test.classes.dir}
+run.test.modulepath=\
+ ${javac.test.modulepath}
+source.encoding=UTF-8
+src.dir=src
+test.src.dir=test
diff --git a/thirdparty/yara/YaraJNIWrapper/nbproject/project.xml b/thirdparty/yara/YaraJNIWrapper/nbproject/project.xml
new file mode 100755
index 0000000000..df43138d7e
--- /dev/null
+++ b/thirdparty/yara/YaraJNIWrapper/nbproject/project.xml
@@ -0,0 +1,15 @@
+
+
+ org.netbeans.modules.java.j2seproject
+
+
+ YaraJNIWrapper
+
+
+
+
+
+
+
+
+
diff --git a/thirdparty/yara/YaraJNIWrapper/src/org/sleuthkit/autopsy/yara/YaraJNIWrapper.java b/thirdparty/yara/YaraJNIWrapper/src/org/sleuthkit/autopsy/yara/YaraJNIWrapper.java
new file mode 100755
index 0000000000..0fc5e8f0f4
--- /dev/null
+++ b/thirdparty/yara/YaraJNIWrapper/src/org/sleuthkit/autopsy/yara/YaraJNIWrapper.java
@@ -0,0 +1,68 @@
+/*
+ * Autopsy Forensic Browser
+ *
+ * Copyright 2020 Basis Technology Corp.
+ * Contact: carrier sleuthkit org
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.sleuthkit.autopsy.yara;
+
+import java.net.URISyntaxException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ *
+ * native JNI interface to the yarabridge dll.
+ */
+public class YaraJNIWrapper {
+
+ // Load the yarabridge.dll which should be located in the same directory as
+ // the jar file. If we need to use this code for debugging the dll this
+ // code will need to be modified to add that support.
+ static {
+ Path directoryPath = null;
+ try {
+ directoryPath = Paths.get(YaraJNIWrapper.class.getProtectionDomain().getCodeSource().getLocation().toURI()).getParent().toAbsolutePath();
+ } catch (URISyntaxException ex) {
+ Logger.getLogger(YaraJNIWrapper.class.getName()).log(Level.SEVERE, null, ex);
+ }
+ String libraryPath = Paths.get(directoryPath != null ? directoryPath.toString() : "", "yarabridge.dll").toAbsolutePath().toString();
+ System.load(libraryPath);
+ }
+
+ /**
+ * Returns a list of rules that were found in the given byteBuffer.
+ *
+ * The rule path must be to a yara compile rule file.
+ *
+ * @param compiledRulesPath
+ * @param byteBuffer
+ *
+ * @return List of rules found rules. Null maybe returned if error occurred.
+ *
+ * @throws YaraWrapperException
+ */
+ static public native List findRuleMatch(String compiledRulesPath, byte[] byteBuffer) throws YaraWrapperException;
+
+ /**
+ * private constructor.
+ */
+ private YaraJNIWrapper() {
+ }
+
+}
diff --git a/thirdparty/yara/YaraJNIWrapper/src/org/sleuthkit/autopsy/yara/YaraWrapperException.java b/thirdparty/yara/YaraJNIWrapper/src/org/sleuthkit/autopsy/yara/YaraWrapperException.java
new file mode 100755
index 0000000000..d93d436ffc
--- /dev/null
+++ b/thirdparty/yara/YaraJNIWrapper/src/org/sleuthkit/autopsy/yara/YaraWrapperException.java
@@ -0,0 +1,37 @@
+/*
+ * Autopsy Forensic Browser
+ *
+ * Copyright 2020 Basis Technology Corp.
+ * Contact: carrier sleuthkit org
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.sleuthkit.autopsy.yara;
+
+/**
+ *
+ * An exception class for the YaraWrapper Library
+ */
+public class YaraWrapperException extends Exception{
+
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * Create exception containing the error message
+ *
+ * @param msg Error message
+ */
+ public YaraWrapperException(String msg) {
+ super(msg);
+ }
+}
diff --git a/thirdparty/yara/YaraWrapperTest/build.xml b/thirdparty/yara/YaraWrapperTest/build.xml
new file mode 100755
index 0000000000..d108da9a59
--- /dev/null
+++ b/thirdparty/yara/YaraWrapperTest/build.xml
@@ -0,0 +1,73 @@
+
+
+
+
+
+
+
+
+
+
+ Builds, tests, and runs the project YaraWrapperTest.
+
+
+
diff --git a/thirdparty/yara/YaraWrapperTest/manifest.mf b/thirdparty/yara/YaraWrapperTest/manifest.mf
new file mode 100755
index 0000000000..328e8e5bc3
--- /dev/null
+++ b/thirdparty/yara/YaraWrapperTest/manifest.mf
@@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+X-COMMENT: Main-Class will be added automatically by build
+
diff --git a/thirdparty/yara/YaraWrapperTest/nbproject/build-impl.xml b/thirdparty/yara/YaraWrapperTest/nbproject/build-impl.xml
new file mode 100755
index 0000000000..98375a4932
--- /dev/null
+++ b/thirdparty/yara/YaraWrapperTest/nbproject/build-impl.xml
@@ -0,0 +1,1770 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must set src.dir
+ Must set test.src.dir
+ Must set build.dir
+ Must set dist.dir
+ Must set build.classes.dir
+ Must set dist.javadoc.dir
+ Must set build.test.classes.dir
+ Must set build.test.results.dir
+ Must set build.classes.excludes
+ Must set dist.jar
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must set javac.includes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ No tests executed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must set JVM to use for profiling in profiler.info.jvm
+ Must set profiler agent JVM arguments in profiler.info.jvmargs.agent
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select some files in the IDE or set javac.includes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ To run this application from the command line without Ant, try:
+
+ java -jar "${dist.jar.resolved}"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set run.class
+
+
+
+ Must select one file in the IDE or set run.class
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set debug.class
+
+
+
+
+ Must select one file in the IDE or set debug.class
+
+
+
+
+ Must set fix.includes
+
+
+
+
+
+
+
+
+
+ This target only works when run from inside the NetBeans IDE.
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set profile.class
+ This target only works when run from inside the NetBeans IDE.
+
+
+
+
+
+
+
+
+ This target only works when run from inside the NetBeans IDE.
+
+
+
+
+
+
+
+
+
+
+
+
+ This target only works when run from inside the NetBeans IDE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set run.class
+
+
+
+
+
+ Must select some files in the IDE or set test.includes
+
+
+
+
+ Must select one file in the IDE or set run.class
+
+
+
+
+ Must select one file in the IDE or set applet.url
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select some files in the IDE or set javac.includes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Some tests failed; see details above.
+
+
+
+
+
+
+
+
+ Must select some files in the IDE or set test.includes
+
+
+
+ Some tests failed; see details above.
+
+
+
+ Must select some files in the IDE or set test.class
+ Must select some method in the IDE or set test.method
+
+
+
+ Some tests failed; see details above.
+
+
+
+
+ Must select one file in the IDE or set test.class
+
+
+
+ Must select one file in the IDE or set test.class
+ Must select some method in the IDE or set test.method
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set applet.url
+
+
+
+
+
+
+
+
+ Must select one file in the IDE or set applet.url
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/thirdparty/yara/YaraWrapperTest/nbproject/private/private.xml b/thirdparty/yara/YaraWrapperTest/nbproject/private/private.xml
new file mode 100755
index 0000000000..475096252c
--- /dev/null
+++ b/thirdparty/yara/YaraWrapperTest/nbproject/private/private.xml
@@ -0,0 +1,4 @@
+
+
+
+
diff --git a/thirdparty/yara/YaraWrapperTest/nbproject/project.properties b/thirdparty/yara/YaraWrapperTest/nbproject/project.properties
new file mode 100755
index 0000000000..c0126ab42a
--- /dev/null
+++ b/thirdparty/yara/YaraWrapperTest/nbproject/project.properties
@@ -0,0 +1,99 @@
+annotation.processing.enabled=true
+annotation.processing.enabled.in.editor=false
+annotation.processing.processors.list=
+annotation.processing.run.all.processors=true
+annotation.processing.source.output=${build.generated.sources.dir}/ap-source-output
+application.title=YaraWrapperTest
+application.vendor=kelly
+build.classes.dir=${build.dir}/classes
+build.classes.excludes=**/*.java,**/*.form
+# This directory is removed when the project is cleaned:
+build.dir=build
+build.generated.dir=${build.dir}/generated
+build.generated.sources.dir=${build.dir}/generated-sources
+# Only compile against the classpath explicitly listed here:
+build.sysclasspath=ignore
+build.test.classes.dir=${build.dir}/test/classes
+build.test.results.dir=${build.dir}/test/results
+# Uncomment to specify the preferred debugger connection transport:
+#debug.transport=dt_socket
+debug.classpath=\
+ ${run.classpath}
+debug.modulepath=\
+ ${run.modulepath}
+debug.test.classpath=\
+ ${run.test.classpath}
+debug.test.modulepath=\
+ ${run.test.modulepath}
+# Files in build.classes.dir which should be excluded from distribution jar
+dist.archive.excludes=
+# This directory is removed when the project is cleaned:
+dist.dir=dist
+dist.jar=${dist.dir}/YaraWrapperTest.jar
+dist.javadoc.dir=${dist.dir}/javadoc
+dist.jlink.dir=${dist.dir}/jlink
+dist.jlink.output=${dist.jlink.dir}/YaraWrapperTest
+endorsed.classpath=
+excludes=
+file.reference.YaraJNIWrapper.jar=../bin/YaraJNIWrapper.jar
+includes=**
+jar.compress=false
+javac.classpath=\
+ ${file.reference.YaraJNIWrapper.jar}
+# Space-separated list of extra javac options
+javac.compilerargs=
+javac.deprecation=false
+javac.external.vm=true
+javac.modulepath=
+javac.processormodulepath=
+javac.processorpath=\
+ ${javac.classpath}
+javac.source=1.8
+javac.target=1.8
+javac.test.classpath=\
+ ${javac.classpath}:\
+ ${build.classes.dir}
+javac.test.modulepath=\
+ ${javac.modulepath}
+javac.test.processorpath=\
+ ${javac.test.classpath}
+javadoc.additionalparam=
+javadoc.author=false
+javadoc.encoding=${source.encoding}
+javadoc.html5=false
+javadoc.noindex=false
+javadoc.nonavbar=false
+javadoc.notree=false
+javadoc.private=false
+javadoc.splitindex=true
+javadoc.use=true
+javadoc.version=false
+javadoc.windowtitle=
+# The jlink additional root modules to resolve
+jlink.additionalmodules=
+# The jlink additional command line parameters
+jlink.additionalparam=
+jlink.launcher=true
+jlink.launcher.name=YaraWrapperTest
+main.class=org.sleuthkit.autopsy.yara.YaraWrapperTest
+manifest.file=manifest.mf
+meta.inf.dir=${src.dir}/META-INF
+mkdist.disabled=false
+platform.active=default_platform
+run.classpath=\
+ ${javac.classpath}:\
+ ${build.classes.dir}
+# Space-separated list of JVM arguments used when running the project.
+# You may also define separate properties like run-sys-prop.name=value instead of -Dname=value.
+# To set system properties for unit tests define test-sys-prop.name=value:
+run.jvmargs=
+run.modulepath=\
+ ${javac.modulepath}
+run.test.classpath=\
+ ${javac.test.classpath}:\
+ ${build.test.classes.dir}
+run.test.modulepath=\
+ ${javac.test.modulepath}
+source.encoding=UTF-8
+src.dir=src
+test.src.dir=test
diff --git a/thirdparty/yara/YaraWrapperTest/nbproject/project.xml b/thirdparty/yara/YaraWrapperTest/nbproject/project.xml
new file mode 100755
index 0000000000..3541c3f5d7
--- /dev/null
+++ b/thirdparty/yara/YaraWrapperTest/nbproject/project.xml
@@ -0,0 +1,15 @@
+
+
+ org.netbeans.modules.java.j2seproject
+
+
+ YaraWrapperTest
+
+
+
+
+
+
+
+
+
diff --git a/thirdparty/yara/YaraWrapperTest/resources/hello.compiled b/thirdparty/yara/YaraWrapperTest/resources/hello.compiled
new file mode 100755
index 0000000000..8912235125
Binary files /dev/null and b/thirdparty/yara/YaraWrapperTest/resources/hello.compiled differ
diff --git a/thirdparty/yara/YaraWrapperTest/resources/hello.txt b/thirdparty/yara/YaraWrapperTest/resources/hello.txt
new file mode 100755
index 0000000000..5e1c309dae
--- /dev/null
+++ b/thirdparty/yara/YaraWrapperTest/resources/hello.txt
@@ -0,0 +1 @@
+Hello World
\ No newline at end of file
diff --git a/thirdparty/yara/YaraWrapperTest/src/org/sleuthkit/autopsy/yara/YaraWrapperTest.java b/thirdparty/yara/YaraWrapperTest/src/org/sleuthkit/autopsy/yara/YaraWrapperTest.java
new file mode 100755
index 0000000000..4a57abfef2
--- /dev/null
+++ b/thirdparty/yara/YaraWrapperTest/src/org/sleuthkit/autopsy/yara/YaraWrapperTest.java
@@ -0,0 +1,81 @@
+/*
+ * Autopsy Forensic Browser
+ *
+ * Copyright 2020 Basis Technology Corp.
+ * Contact: carrier sleuthkit org
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.sleuthkit.autopsy.yara;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import org.sleuthkit.autopsy.yara.YaraJNIWrapper;
+import org.sleuthkit.autopsy.yara.YaraWrapperException;
+
+/**
+ * Tests the YaraJNIWrapper code.
+ */
+public class YaraWrapperTest {
+
+ private static final Logger logger = Logger.getLogger(YaraWrapperTest.class.getName());
+
+ public static void main(String[] args) {
+ if (args.length < 2) {
+ System.out.println("Please supply two arguments, a yara compiled rule path and a path to the file to scan.");
+ return;
+ }
+
+ testFileRuleMatch(args[0], args[1]);
+ }
+
+ /**
+ * Call the YaraJNIWrapper FindRuleMatch with the given path and output the
+ * results to the cl.
+ *
+ * @param compiledRulePath Path to yara compiled rule file
+ * @param filePath Path to file
+ */
+ private static void testFileRuleMatch(String compiledRulePath, String filePath) {
+ Path path = Paths.get(filePath);
+
+ try {
+ byte[] data = Files.readAllBytes(path);
+
+ List list = YaraJNIWrapper.findRuleMatch(compiledRulePath, data);
+
+ if (list != null) {
+ if (list.isEmpty()) {
+ System.out.println("FindRuleMatch return an empty list");
+ } else {
+ System.out.println("Matching Rules:");
+ for (String s : list) {
+ System.out.println(s);
+ }
+ }
+ } else {
+ logger.log(Level.SEVERE, "FindRuleMatch return a null list");
+ }
+
+ } catch (IOException | YaraWrapperException ex) {
+ logger.log(Level.SEVERE, "Error thrown from yarabridge", ex);
+ }
+ }
+
+}
diff --git a/thirdparty/yara/bin/YaraJNIWrapper.jar b/thirdparty/yara/bin/YaraJNIWrapper.jar
new file mode 100755
index 0000000000..749d7a6ae7
Binary files /dev/null and b/thirdparty/yara/bin/YaraJNIWrapper.jar differ
diff --git a/thirdparty/yara/bin/yarabridge.dll b/thirdparty/yara/bin/yarabridge.dll
new file mode 100755
index 0000000000..c74062a626
Binary files /dev/null and b/thirdparty/yara/bin/yarabridge.dll differ
diff --git a/thirdparty/yara/yarabridge/yarabridge.sln b/thirdparty/yara/yarabridge/yarabridge.sln
new file mode 100755
index 0000000000..5616f0a9d4
--- /dev/null
+++ b/thirdparty/yara/yarabridge/yarabridge.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "yarabridge", "yarabridge\yarabridge.vcxproj", "{7922D123-F27A-427B-B3EF-964F5E79FDDA}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {7922D123-F27A-427B-B3EF-964F5E79FDDA}.Debug|x64.ActiveCfg = Debug|x64
+ {7922D123-F27A-427B-B3EF-964F5E79FDDA}.Debug|x64.Build.0 = Debug|x64
+ {7922D123-F27A-427B-B3EF-964F5E79FDDA}.Debug|x86.ActiveCfg = Debug|Win32
+ {7922D123-F27A-427B-B3EF-964F5E79FDDA}.Debug|x86.Build.0 = Debug|Win32
+ {7922D123-F27A-427B-B3EF-964F5E79FDDA}.Release|x64.ActiveCfg = Release|x64
+ {7922D123-F27A-427B-B3EF-964F5E79FDDA}.Release|x64.Build.0 = Release|x64
+ {7922D123-F27A-427B-B3EF-964F5E79FDDA}.Release|x86.ActiveCfg = Release|Win32
+ {7922D123-F27A-427B-B3EF-964F5E79FDDA}.Release|x86.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/thirdparty/yara/yarabridge/yarabridge/YaraJNIWrapper.cpp b/thirdparty/yara/yarabridge/yarabridge/YaraJNIWrapper.cpp
new file mode 100755
index 0000000000..0d36d2a039
--- /dev/null
+++ b/thirdparty/yara/yarabridge/yarabridge/YaraJNIWrapper.cpp
@@ -0,0 +1,138 @@
+/*
+** YaraBridge
+**
+** Brian Carrier [carrier sleuthkit [dot] org]
+** Copyright (c) 2010-2018 Brian Carrier. All Rights reserved
+**
+** This software is distributed under the Common Public License 1.0
+**
+*/
+
+#include
+#include
+#include "YaraJNIWrapper.h"
+#include "yara.h"
+#include
+#include
+#include
+#include
+
+using std::string;
+using std::vector;
+
+
+/*
+ Callback method to be passed to yr_rules_scan_mem method.
+ user_data is expected to be a pointer to a string vector.
+*/
+static int callback(
+ YR_SCAN_CONTEXT* context,
+ int message,
+ void* message_data,
+ void* user_data)
+{
+ if (message == CALLBACK_MSG_RULE_MATCHING) {
+ YR_RULE *rule = (YR_RULE *)message_data;
+
+ ((std::vector*)user_data)->push_back(rule->identifier);
+ }
+ return CALLBACK_CONTINUE;
+}
+
+
+/*
+ Throw a new instance of YaraWrapperException with the given message.
+
+ Unlike in JAVA throwing this exception will not stop the execution
+ of the method from which it is thrown.
+*/
+static void throwException(JNIEnv *env, char * msg) {
+ jclass cls;
+
+ cls = env->FindClass("org/sleuthkit/autopsy/yara/YaraWrapperException");
+ if (cls == NULL) {
+ fprintf(stderr, "Failed to throw YaraWrapperException, cannot find class\n");
+ return;
+ }
+
+ env->ThrowNew(cls, msg);
+
+}
+
+/*
+ Generic method that will create a Java ArrayList object populating it with
+ the strings from the given vector.
+*/
+jobject createArrayList(JNIEnv *env, std::vector vector) {
+ jclass cls_arrayList = env->FindClass("java/util/ArrayList");
+ jmethodID constructor = env->GetMethodID(cls_arrayList, "", "(I)V");
+ jmethodID method_add = env->GetMethodID(cls_arrayList, "add", "(Ljava/lang/Object;)Z");
+
+ jobject list = env->NewObject(cls_arrayList, constructor, vector.size());
+
+ for (std::string str : vector) {
+ jstring element = env->NewStringUTF(str.c_str());
+ env->CallBooleanMethod(list, method_add, element);
+ env->DeleteLocalRef(element);
+ }
+
+ return list;
+}
+
+/*
+* Class: org_sleuthkit_autopsy_yara_YaraJNIWrapper
+* Method: FindRuleMatch
+* Signature: (Ljava/lang/String;[B)Ljava/util/List;
+*/
+JNIEXPORT jobject JNICALL Java_org_sleuthkit_autopsy_yara_YaraJNIWrapper_findRuleMatch
+(JNIEnv * env, jclass cls, jstring compiledRulePath, jbyteArray fileByteArray) {
+
+ char errorMessage[256];
+ const char *nativeString = env->GetStringUTFChars(compiledRulePath, 0);
+ jobject resultList = NULL;
+
+ int result;
+ if ((result = yr_initialize()) != ERROR_SUCCESS) {
+ sprintf_s(errorMessage, "libyara initialization error (%d)\n", result);
+ throwException(env, errorMessage);
+ return resultList;
+ }
+
+ while (1) {
+ YR_RULES *rules = NULL;
+ if ((result = yr_rules_load(nativeString, &rules)) != ERROR_SUCCESS) {
+ sprintf_s(errorMessage, "Failed to load compiled yara rules (%d)\n", result);
+ throwException(env, errorMessage);
+ break;
+ }
+
+ boolean isCopy;
+ int byteArrayLength = env->GetArrayLength(fileByteArray);
+ if (byteArrayLength == 0) {
+ throwException(env, "Unable to scan for matches. File byte array size was 0.");
+ break;
+ }
+
+ jbyte* nativeByteArray = env->GetByteArrayElements(fileByteArray, &isCopy);
+ int flags = 0;
+ std::vector scanResults;
+
+ result = yr_rules_scan_mem(rules, (unsigned char*)nativeByteArray, byteArrayLength, flags, callback, &scanResults, 1000000);
+ env->ReleaseByteArrayElements(fileByteArray, nativeByteArray, 0);
+
+ if (result != ERROR_SUCCESS) {
+ sprintf_s(errorMessage, "Yara file scan failed (%d)\n", result);
+ throwException(env, errorMessage);
+ break;
+ }
+
+ resultList = createArrayList(env, scanResults);
+ break;
+ }
+
+ env->ReleaseStringUTFChars(compiledRulePath, nativeString);
+ yr_finalize();
+
+ return resultList;
+
+}
\ No newline at end of file
diff --git a/thirdparty/yara/yarabridge/yarabridge/YaraJNIWrapper.h b/thirdparty/yara/yarabridge/yarabridge/YaraJNIWrapper.h
new file mode 100755
index 0000000000..6c5f5f5d75
--- /dev/null
+++ b/thirdparty/yara/yarabridge/yarabridge/YaraJNIWrapper.h
@@ -0,0 +1,21 @@
+/* DO NOT EDIT THIS FILE - it is machine generated */
+#include
+/* Header for class org_sleuthkit_autopsy_yara_YaraJNIWrapper */
+
+#ifndef _Included_org_sleuthkit_autopsy_yara_YaraJNIWrapper
+#define _Included_org_sleuthkit_autopsy_yara_YaraJNIWrapper
+#ifdef __cplusplus
+extern "C" {
+#endif
+ /*
+ * Class: org_sleuthkit_autopsy_yara_YaraJNIWrapper
+ * Method: FindRuleMatch
+ * Signature: (Ljava/lang/String;[B)Ljava/util/List;
+ */
+ JNIEXPORT jobject JNICALL Java_org_sleuthkit_autopsy_yara_YaraJNIWrapper_findRuleMatch
+ (JNIEnv *, jclass, jstring, jbyteArray);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/thirdparty/yara/yarabridge/yarabridge/stdafx.cpp b/thirdparty/yara/yarabridge/yarabridge/stdafx.cpp
new file mode 100755
index 0000000000..68193816bc
--- /dev/null
+++ b/thirdparty/yara/yarabridge/yarabridge/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// yarabridge.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
diff --git a/thirdparty/yara/yarabridge/yarabridge/stdafx.h b/thirdparty/yara/yarabridge/yarabridge/stdafx.h
new file mode 100755
index 0000000000..f3a07375c7
--- /dev/null
+++ b/thirdparty/yara/yarabridge/yarabridge/stdafx.h
@@ -0,0 +1,16 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
+// Windows Header Files:
+#include
+
+
+
+// TODO: reference additional headers your program requires here
diff --git a/thirdparty/yara/yarabridge/yarabridge/targetver.h b/thirdparty/yara/yarabridge/yarabridge/targetver.h
new file mode 100755
index 0000000000..87c0086de7
--- /dev/null
+++ b/thirdparty/yara/yarabridge/yarabridge/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include
diff --git a/thirdparty/yara/yarabridge/yarabridge/yarabridge.vcxproj b/thirdparty/yara/yarabridge/yarabridge/yarabridge.vcxproj
new file mode 100755
index 0000000000..ce5dd10c80
--- /dev/null
+++ b/thirdparty/yara/yarabridge/yarabridge/yarabridge.vcxproj
@@ -0,0 +1,174 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ {7922D123-F27A-427B-B3EF-964F5E79FDDA}
+ Win32Proj
+ yarabridge
+ 8.1
+
+
+
+ DynamicLibrary
+ true
+ v140
+ Unicode
+
+
+ DynamicLibrary
+ false
+ v140
+ true
+ Unicode
+
+
+ DynamicLibrary
+ true
+ v140
+ Unicode
+
+
+ DynamicLibrary
+ false
+ v140
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+ $(JDK_HOME)\include\win32;$(JDK_HOME)\include;..\..\..\..\..\yara\libyara\include;$(IncludePath)
+ $(LibraryPath)
+
+
+ false
+
+
+ false
+ $(JDK_HOME)\include\win32;$(JDK_HOME)\include;..\..\..\..\..\yara\libyara\include;$(IncludePath)
+ $(LibraryPath)
+
+
+
+
+
+ Level3
+ Disabled
+ WIN32;_DEBUG;_WINDOWS;_USRDLL;YARABRIDGE_EXPORTS;%(PreprocessorDefinitions)
+
+
+ Windows
+ true
+
+
+
+
+
+
+ Level3
+ Disabled
+ _DEBUG;_WINDOWS;_USRDLL;YARABRIDGE_EXPORTS;%(PreprocessorDefinitions)
+
+
+ Windows
+ true
+ $(ProjectDir)..\..\..\..\..\yara\windows\vs2015\libyara\Release;%(AdditionalLibraryDirectories)
+ ws2_32.lib;crypt32.lib;libyara64.lib;%(AdditionalDependencies)
+
+
+ copy "$(SolutionDir)$(Platform)\$(Configuration)\$(ProjectName).dll" "$(SolutionDir)..\bin\$(ProjectName).dll"
+
+
+
+
+ Level3
+
+
+ MaxSpeed
+ true
+ true
+ WIN32;NDEBUG;_WINDOWS;_USRDLL;YARABRIDGE_EXPORTS;%(PreprocessorDefinitions)
+
+
+ Windows
+ true
+ true
+ true
+
+
+
+
+ Level3
+
+
+ MaxSpeed
+ true
+ true
+ NDEBUG;_WINDOWS;_USRDLL;YARABRIDGE_EXPORTS;%(PreprocessorDefinitions)
+ $(JDK_HOME)\include;%(AdditionalIncludeDirectories)
+
+
+ Windows
+ true
+ true
+ true
+ $(ProjectDir)..\..\..\..\..\yara\windows\vs2015\libyara\Release;%(AdditionalLibraryDirectories)
+ ws2_32.lib;crypt32.lib;libyara64.lib;%(AdditionalDependencies)
+
+
+ copy "$(SolutionDir)$(Platform)\$(Configuration)\$(ProjectName).dll" "$(SolutionDir)..\bin\$(ProjectName).dll"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file