The kernel sensor (PhantomSensor) is a WFP+minifilter driver sitting at altitude 385210. It's written in C targeting the WDK, roughly 370k lines across 70+ modules. Some of what it does:
ObRegisterCallbacks for process/thread handle stripping (anti-injection, anti-debug) Minifilter callbacks with stream contexts for file monitoring, ransomware backup engine, section object tracking WFP callouts for network inspection - TCP stream reassembly, DNS monitoring, C2 beacon detection, TLS fingerprinting PsSetCreateProcessNotifyRoutineEx / PsSetLoadImageNotifyRoutine for behavioral analysis ETW provider + consumer for kernel telemetry Registry callback for persistence detection (Run keys, services, scheduled tasks) Process hollowing detection via VAD analysis + PE header comparison Syscall table monitoring, direct syscall detection, Heaven's Gate detection , Halo's Gate detections + Hell's Gate detections Lookaside lists for hot-path allocations, rundown protection for safe teardown, reference-counted object lifetimes The behavioral engine tracks attack chains and maps to MITRE ATT&CK techniques. Thread protection module does per-process activity tracking with hash-bucketed trackers and rate limiting - had a fun use-after-free in there (refcount off-by-one on newly inserted trackers, InsertTailList caught the corrupted list entry - classic).
It's been a long road of analyzing dump reports using kd.exe(kernel debugger) windbg x64 and finding the errors that triggered the BSOD.Here are some: WORKER_INVALID from double-queuing IO_WORKITEM on periodic timers. Stack overflows from 4KB structs in image load callbacks. IRQL_NOT_LESS_OR_EQUAL from ERESOURCE without KeEnterCriticalRegion. Each one taught me something.
The codebase is AGPL v3. But understand it is still not completed(There is not only kernel-sensor) we have a Beta 2028 target for the full product especially 3 products(Phantom XDR Phantom EDR and Phantom Consumer solutions below the ShadowStrike brand.
If you want to support or follow the journey of developing a Kernel-driver and a user-mode agent for the ShadowStrike Phantom products: