DEV Community

Cover image for ShadowStrike Phantom EDR/XDR Platform Kernel Sensor (WDK/C)
ShadowStrike Labs
ShadowStrike Labs

Posted on

ShadowStrike Phantom EDR/XDR Platform Kernel Sensor (WDK/C)

#c #opensource #security #showdev

I've been building an open-source kernel-mode EDR/XDR sensor called Phantom Sensor for about
two years now as a solo project. It just hit a milestone I'm pretty
excited about - the driver loads cleanly on Windows 11, passes Driver
Verifier with all standard flags enabled, and survives normal use
without crashing.

The kernel sensor (PhantomSensor) is a WFP+minifilter driver sitting
at altitude 385210. It's written in C targeting the WDK, roughly 370k
lines across 70+ modules. Some of what it does:

  • ObRegisterCallbacks for process/thread handle stripping (anti-injection, anti-debug)
  • Minifilter callbacks with stream contexts for file monitoring, ransomware backup engine, section object tracking
  • WFP callouts for network inspection - TCP stream reassembly, DNS monitoring, C2 beacon detection, TLS fingerprinting
  • PsSetCreateProcessNotifyRoutineEx / PsSetLoadImageNotifyRoutine for behavioral analysis
  • ETW provider + consumer for kernel telemetry
  • Registry callback for persistence detection (Run keys, services, scheduled tasks)
  • Process hollowing detection via VAD analysis + PE header comparison
  • Syscall table monitoring, direct syscall detection, Heaven's Gate detection , Halo's Gate detections + Hell's Gate detections
  • Lookaside lists for hot-path allocations, rundown protection for safe teardown, reference-counted object lifetimes

The behavioral engine tracks attack chains and maps to MITRE ATT&CK
techniques. Thread protection module does per-process activity tracking
with hash-bucketed trackers and rate limiting - had a fun use-after-free
in there (refcount off-by-one on newly inserted trackers, InsertTailList
caught the corrupted list entry - classic).

It's been a long road of analyzing dump reports using kd.exe(kernel debugger) windbg x64 and finding the errors that triggered the BSOD.Here are some: WORKER_INVALID from double-queuing
IO_WORKITEM on periodic timers. Stack overflows from 4KB structs in
image load callbacks. IRQL_NOT_LESS_OR_EQUAL from ERESOURCE without
KeEnterCriticalRegion. Each one taught me something.

The codebase is AGPL v3. But understand it is still not completed(There is not only kernel-sensor) we have a Beta 2028 target for the full product especially 3 products(Phantom XDR Phantom EDR and Phantom Consumer solutions below the ShadowStrike brand.

If you want to support or follow the journey of developing a Kernel-driver and a user-mode agent for the ShadowStrike Phantom products:

Join us on Github: https://github.com/ShadowStrike-Labs/ShadowStrike
If you want to give a support: https://github.com/sponsors/ShadowStrike-Labs
Site: https://www.shadowstrike.dev/

Top comments (0)