 Hello, today I want to show you a new version of PDF parser and that is support for Jarrah-Rules. So in this new version, version 060, we have the option Jarrah-Now. And when you use that option, you can provide rules to PDF parser, and it will use those Jarrah-Rules to check the streams that it finds in the PDF document. So it will filter the streams and then run the Jarrah-Rules on this. And let me illustrate this with JavaScript. So recently, somebody asked me if I could add code to PDF parser to detect JavaScript functions that are often used in malicious PDF documents, for example, like eval or runescape. And I told him that I was not going to do that because I had a new version, a new feature to PDF parser and that is Jarrah-Support. And you can easily write your own Jarrah-Rules to detect such kind of functions like eval or an escape. So let me show you this. I run PDF parser, option Jarrah. And here I have a set of Jarrah-Rules in the file. We are going to look at this in detail later. But this detects suspect functions in JavaScript. And now I give it a PDF document that contains JavaScript, like this. And then you can see here that it detected object 8, that Jarrah-Rules triggered on it and that is the eval function. So this stream here of object 8 contains the eval function for JavaScript. You can have a look with the filter option, like this, minus F to filter the stream. And then you also have the output of the stream and here you can see at the end the eval function. Now if you use Jarrah here in this case on the PDF document that doesn't contain JavaScript, like this one here, then you just get new output. So if a rule triggers, you get the name of the rule and you get the object on which you triggered. If it doesn't trigger, you don't get any output. Okay, so let's take a look now at the Jarrah-Rules. So I have two rules here. I want to detect the eval function and the unescape function. So this here is done with the regular expression and that's actually all. You could also do it with a string. Let me show you just like this eval and then it will trigger when it detects the eval string inside the function. But this can lead to false positives, like for example if you have the word evaluation like this in your stream, then eval will also trigger on it. So we want to make it a bit less prone to false positives. So we want the word eval and after the word eval there's a left parenthesis, an opening parenthesis, so we are going to specify this too. But you can have sometimes spaces here. White space is allowed so there can be a space or more than one space. And the best thing to match such kind of string is to use regular expressions. So in Jarrah regular expressions are written like this. This will just match the string eval. And I also want to match the opening parenthesis like this. But in regular expression syntax this has special meaning so you have to escape it like this. So that you want to match this character. So you can have here white space. So let's add white space. This here means a white space character so that's a space character. But it can also be a tap character or a line fit or a character term. And this means that we want exactly just one white space character. But as you know it can be zero or more white space characters. So you do this with this modifier, the asterix. This way you encode regular expression to match eval, white space or not. And then the opening parenthesis. Now you can still have false positives. If you have in your javascript another function that contains that ends with this string. For example if you have the function eval in there then this will also match. So what we are going to do here is say this here must be a word boundary. And this is the syntax in regular expressions for word boundaries. So it means that eval here is at a word boundary so that's the start of a word. But unfortunately jara does not support word boundaries. So we are going to replace that with something else. With w uppercase here and this stands for any character except alphanumeric characters. So this way we are also making sure that this is the beginning of a word. The only difference here is that there has to be a character before the eval function. So if the eval function is really at the beginning the first string in your stream then this regular expression will not match. And here is another example with the unescape function. Exactly the same here. The string unescape, white space, open parenthesis here and we want this to be the start of the word unescape.