ShadowStrike – building an open-source EDR from scratch

For the past two years I’ve been working on a long-term project called ShadowStrike, an experimental endpoint detection and response engine written mostly in C/C++ with some x86-64 assembly components.

This project is still pre-alpha. It does not compile yet, the codebase is large and messy, and many components are under heavy refactoring. I’m sharing it early because I’d rather build in public and learn from feedback than wait for perfection.

The focus so far has been understanding how EDR systems are structured and implementing core building blocks, including:

- A custom Windows kernel monitoring sensor - Detection logic around process, filesystem, registry, and memory behavior - Memory-mapped data stores for performance (hash/pattern/signature) - Pattern matching experiments using Boyer Moore techniques - Aho Corasick - B+Tree - Boyer Moore - KMP Failure functions - Z algorithms - HeapTrie Nodes , etc. - SQLite-backed management storage

I’m currently evaluating architectural directions such as hypervisor-based protection versus relying on the Windows Hypervisor Platform, and working on improving low-level reasoning by studying reverse engineering tools and kernel debugging workflows.

The biggest challenges so far have been: - managing complexity as the codebase grew - designing boundaries between kernel/user components - balancing experimentation with maintainability

This is a multi-year learning project, not a finished product. My rough goal is to reach a cohesive working version with integrated modules and UI in the coming years.

I’d appreciate technical feedback, criticism, or architectural suggestions.