Show HN: ShadowStrike – building an open-source EDR from scratch (github.com)

1 points by Soocile ↗ HN
For the past two years I’ve been working on a long-term project called ShadowStrike, an experimental endpoint detection and response engine written mostly in C/C++ with some x86-64 assembly components.

This project is still pre-alpha. It does not compile yet, the codebase is large and messy, and many components are under heavy refactoring. I’m sharing it early because I’d rather build in public and learn from feedback than wait for perfection.

The focus so far has been understanding how EDR systems are structured and implementing core building blocks, including:

- A custom Windows kernel monitoring sensor - Detection logic around process, filesystem, registry, and memory behavior - Memory-mapped data stores for performance (hash/pattern/signature) - Pattern matching experiments using Boyer Moore techniques - Aho Corasick - B+Tree - Boyer Moore - KMP Failure functions - Z algorithms - HeapTrie Nodes , etc. - SQLite-backed management storage

I’m currently evaluating architectural directions such as hypervisor-based protection versus relying on the Windows Hypervisor Platform, and working on improving low-level reasoning by studying reverse engineering tools and kernel debugging workflows.

The biggest challenges so far have been: - managing complexity as the codebase grew - designing boundaries between kernel/user components - balancing experimentation with maintainability

This is a multi-year learning project, not a finished product. My rough goal is to reach a cohesive working version with integrated modules and UI in the coming years.

I’d appreciate technical feedback, criticism, or architectural suggestions.

1 comment

[ 3.1 ms ] story [ 12.1 ms ] thread
As a Systems Architect, I've worked with various Endpoint Detection and Response (EDR) solutions, and I'm excited to see an open-source alternative like ShadowStrike. One key aspect to consider when building an EDR from scratch is the ability to collect and analyze telemetry data from endpoints. This includes process creation, network connections, file access, and other system calls. To achieve this, ShadowStrike could utilize a kernel-mode driver to intercept and log system calls, providing a robust dataset for • threat detection and incident response. Additionally, implementing a cloud-based backend for data storage and analytics would enable scalable and efficient processing of the collected data, facilitating the detection of advanced threats.