Show HN: ShadowStrike EDR/XDR Kernel Sensor Development

  • Posted 22 hours ago by Soocile
  • 2 points
I've been building an open-source kernel-mode EDR/XDR sensor called Phantom Sensor for about two years now as a solo project. It just hit a milestone I'm pretty excited about - the driver loads cleanly on Windows 11, passes Driver Verifier with all standard flags enabled, and survives normal use without crashing.

The kernel sensor (PhantomSensor) is a WFP+minifilter driver sitting at altitude 385210. It's written in C targeting the WDK, roughly 370k lines across 70+ modules. Some of what it does:

ObRegisterCallbacks for process/thread handle stripping (anti-injection, anti-debug) Minifilter callbacks with stream contexts for file monitoring, ransomware backup engine, section object tracking WFP callouts for network inspection - TCP stream reassembly, DNS monitoring, C2 beacon detection, TLS fingerprinting PsSetCreateProcessNotifyRoutineEx / PsSetLoadImageNotifyRoutine for behavioral analysis ETW provider + consumer for kernel telemetry Registry callback for persistence detection (Run keys, services, scheduled tasks) Process hollowing detection via VAD analysis + PE header comparison Syscall table monitoring, direct syscall detection, Heaven's Gate detection , Halo's Gate detections + Hell's Gate detections Lookaside lists for hot-path allocations, rundown protection for safe teardown, reference-counted object lifetimes The behavioral engine tracks attack chains and maps to MITRE ATT&CK techniques. Thread protection module does per-process activity tracking with hash-bucketed trackers and rate limiting - had a fun use-after-free in there (refcount off-by-one on newly inserted trackers, InsertTailList caught the corrupted list entry - classic).

It's been a long road of analyzing dump reports using kd.exe(kernel debugger) windbg x64 and finding the errors that triggered the BSOD.Here are some: WORKER_INVALID from double-queuing IO_WORKITEM on periodic timers. Stack overflows from 4KB structs in image load callbacks. IRQL_NOT_LESS_OR_EQUAL from ERESOURCE without KeEnterCriticalRegion. Each one taught me something.

The codebase is AGPL v3. But understand it is still not completed(There is not only kernel-sensor) we have a Beta 2028 target for the full product especially 3 products(Phantom XDR Phantom EDR and Phantom Consumer solutions below the ShadowStrike brand.

If you want to support or follow the journey of developing a Kernel-driver and a user-mode agent for the ShadowStrike Phantom products:

3 comments

    Loading..
    Loading..
    Loading..