Show HN: ShadowStrike – building an open-source EDR from scratch(github.com)
github.com
Show HN: ShadowStrike – building an open-source EDR from scratch
https://github.com/Soocile/ShadowStrike
2 comments
As a Systems Architect, I've worked with various Endpoint Detection and Response (EDR) solutions, and I'm excited to see an open-source alternative like ShadowStrike. One key aspect to consider when building an EDR from scratch is the ability to collect and analyze telemetry data from endpoints. This includes process creation, network connections, file access, and other system calls. To achieve this, ShadowStrike could utilize a kernel-mode driver to intercept and log system calls, providing a robust dataset for
• threat
detection and incident response.
Additionally, implementing a cloud-based backend for data storage and analytics would enable scalable and efficient processing of the collected data, facilitating the detection of advanced threats.
First of all, it's great to receive such feedback from a system architect like yours! Thank you for that. I'm trying my best; it will be a long-term project, and I'm considering a serious EDR platform. As you said, I'm planning endpoint cloud systems and even custom sandbox - AI integrations for these cloud systems, but these require money, and I can't afford them right now. Also, the product is still in its early stages and has a long way to go, but I will definitely try to add them in the future. As someone familiar with EDRs, I know them inside and out. I'm also thinking of adding systems like threat management dashboards, but if I do that, I'll probably have to release it as an Enterprise version of ShadowStrike, but as I said, these are things that will happen over time. This year, I'm completely focused on Shadow Sensor; it's a really challenging area, and I'm learning a lot while trying to do a good job. Let's see how things go.
This project is still pre-alpha. It does not compile yet, the codebase is large and messy, and many components are under heavy refactoring. I’m sharing it early because I’d rather build in public and learn from feedback than wait for perfection.
The focus so far has been understanding how EDR systems are structured and implementing core building blocks, including:
- A custom Windows kernel monitoring sensor - Detection logic around process, filesystem, registry, and memory behavior - Memory-mapped data stores for performance (hash/pattern/signature) - Pattern matching experiments using Boyer Moore techniques - Aho Corasick - B+Tree - Boyer Moore - KMP Failure functions - Z algorithms - HeapTrie Nodes , etc. - SQLite-backed management storage
I’m currently evaluating architectural directions such as hypervisor-based protection versus relying on the Windows Hypervisor Platform, and working on improving low-level reasoning by studying reverse engineering tools and kernel debugging workflows.
The biggest challenges so far have been: - managing complexity as the codebase grew - designing boundaries between kernel/user components - balancing experimentation with maintainability
This is a multi-year learning project, not a finished product. My rough goal is to reach a cohesive working version with integrated modules and UI in the coming years.
I’d appreciate technical feedback, criticism, or architectural suggestions.