How PhantomSensor works.

Foundation of the entire platform. FilterRegistration establishes the minifilter at altitude 328000 and registers 14 operation callbacks via FLT_REGISTRATION. Manages per-stream and per-file FLT contexts, global state (Globals.h), and the FilterConnectPort communication channel to user space.

Loads before any third-party boot driver. Validates driver certificate hashes against an embedded policy (Good / Bad / Unknown classification) before the Windows kernel hands off to the rest of the boot stack. Includes a measured-boot integration and boot-time threat detection.

Intercepts all file system I/O. Pre-create inspects file opens before access is granted. Pre-write and post-write monitor data writes for encryption patterns. PreSetInfo catches rename/delete operations used in ransomware. FileBackupEngine provides in-kernel backup copy on critical modifications. NamedPipeMonitor tracks inter-process pipe communication.

Comprehensive process and thread lifecycle monitoring. Tracks parent-child chains for orphan injection detection. Parses command lines for LOLBins and suspicious flags. TokenAnalyzer watches for privilege escalation and token manipulation. WSLMonitor handles Linux-under-Windows evasion attempts. AMSI bypass detector catches attempts to neutralize the Antimalware Scan Interface.

Registers with the Windows Object Manager to intercept handle operations. Strips PROCESS_VM_WRITE and PROCESS_VM_OPERATION from handles to protected processes. Independently protects threads from injection via handle. Acts as the last line of defense against tools that call OpenProcess directly.

Monitors all registry operations system-wide via CmRegisterCallbackEx. Detects persistence installation (Run keys, services, scheduled task XML blobs), security setting modifications, and attempts to tamper with the driver's own registry entries.

Tracks the Virtual Address Descriptor tree in real-time. Flags PAGE_EXECUTE_READWRITE allocations by foreign processes. Detects classic injection (VirtualAllocEx→WriteProcessMemory→CreateRemoteThread), process hollowing (image section replacement), reflective DLL (PE header in anonymous private region), ROP chains, and heap spray allocation patterns.

Detects adversaries bypassing user-space hooks entirely. Identifies syscall instructions issued outside of NTDLL text section. Catches 32→64-bit Heaven's Gate transitions. Verifies NTDLL .text integrity against the on-disk image to detect patching. Analyzes call-stack return address origins to flag unusual execution paths.

Rule-driven engine that correlates kernel events across process trees and time windows. Evaluates YAML-defined multi-step rules to recognize kill-chain sequences. Assigns ATT&CK technique IDs to every fired detection and computes a composite threat score (0–100). IOCMatcher cross-references events against in-memory IOC structures loaded from the user-space ThreatIntel pipeline.

Provides kernel-level visibility into network activity. C2Detection identifies beacon patterns by timing, jitter, and payload regularity. DnsMonitor inspects DNS query names for DGA patterns and known C2 domains. SSLInspection enables TLS metadata analysis. DataExfiltration monitors volume and destination patterns for data theft.

Implements a full ETW provider/consumer stack within the driver. Generates structured events for every significant detection action and feeds them to the user-space telemetry pipeline. ManifestGenerator produces the event manifest for tools like WPP and PerfView.

Manages the bidirectional FilterConnectPort channel between the kernel driver and the user-space service. ScanBridge serializes scan requests and responses. TelemetryBuffer batches events to minimize context-switch overhead. Encryption module secures the IPC channel.

Monitors Advanced Local Procedure Call port activity. ALPC is widely used by Windows subsystems and frequently abused by malware for lateral movement and privilege escalation. AlpcPortMonitor tracks port creation, connection establishment, and message content.

Monitors Kernel Transaction Manager activity (TxF/TxR). Transactional NTFS is exploited by some evasion techniques to write files that vanish upon rollback, bypassing post-write scanning. KtmMonitor detects suspicious transacted operations.

Prevents the driver from being unloaded, patched, or debugged. AntiUnload blocks FltUnregisterFilter calls from untrusted callers. CallbackProtection prevents other drivers from deregistering Phantom's callbacks. IntegrityMonitor checks the driver's own .text section at runtime.

Provides reusable concurrency infrastructure used throughout the driver. SpinLock wraps KSPIN_LOCK with safe acquire/release helpers. A kernel thread pool dispatches deferred work items. TimerManager schedules periodic tasks like cache expiry and integrity checks.

ScanCache caches scan outcomes keyed by SHA-256 file hash, eliminating redundant rescanning during I/O-heavy workloads. ExclusionManager maintains a kernel-mode allow-list for trusted paths and processes pushed from user space.

InstanceContext holds per-volume state across callbacks. StreamContext carries per-file scan results between Pre and Post operations. PowerCallback registers for sleep/hibernate transitions to ensure protection survives power state changes.

Heart of the user-space detection pipeline. Orchestrates parallel scanning across hash lookup, YARA matching, behavioral analysis, ML inference, heuristics, emulation, and sandbox analysis. ZeroDayDetector combines multiple weak signals to catch novel threats.

Comprehensive user-space view of process activity. Correlates injection techniques from multiple angles — DLL injection, process hollowing, atom bombing, reflective loading, thread hijacking. ProcessKiller provides forceful termination of confirmed malicious processes.

Dedicated detection layer for malware trying to hide from analysis environments. Critical measurements are implemented in x64 assembly to prevent compiler optimizations from neutralizing timing-based checks. Covers VM, sandbox, debugger, timing, packer, environment, and network-based evasion.

Detects and blocks memory-based exploitation techniques. Guards against classic buffer overflows, ROP chains, JIT spray, stack pivots, and heap spray. KernelExploitDetector watches for privilege escalation via kernel vulnerability patterns.

Orchestrates the live protection layer. BehaviorBlocker acts synchronously on behavioral triggers. FileIntegrityMonitor detects unauthorized modifications to critical system files. ZeroHourProtection applies cloud-assisted verdicts for brand-new threats with no local signature.

Layered ransomware detection and response. Canary files provide early warning via minifilter access tripwires. ShadowCopyProtector blocks VSS deletion commands. Family-specific detectors catch WannaCry and Locky variants.

Production-grade threat intelligence pipeline. Ingests STIX 2.1/TAXII 2.1/CSV feeds. A sharded B-tree index with Bloom filter pre-check provides O(1) negative lookup across 1.2M+ entries. URL/domain matching uses a trie structure. LRU-cached reputation queries minimize latency on hot paths.

Scans malicious scripts before and during execution. Integrates with AMSI to inspect PowerShell, VBScript, and JavaScript. Dedicated scanners catch macro-based Office threats and Python-based malware.

Guards users from web-based threats. PhishingDetector analyzes URLs and page content. Browser extension scanners catch malicious Chrome/Firefox add-ons. MaliciousDownloadBlocker intercepts hazardous file downloads before they hit disk.

Scans email attachments and URLs across Outlook and Thunderbird. PhishingEmailDetector analyzes headers, sender reputation, and body content. SpamDetector provides Bayesian + ML-based spam classification.

Controls and monitors USB devices. BadUSBDetector catches HID spoofing attacks (rubber ducky, malicious keyboards). DeviceControlManager enforces USB device policy. Autorun is blocked unconditionally. All USBs are auto-scanned on mount.

Detects unauthorized cryptocurrency mining across CPU, GPU, and browser. PoolConnectionDetector identifies mining pool connection patterns. CPUUsageAnalyzer applies heuristics to distinguish legitimate sustained load from covert mining.

Provides IR-grade evidence collection triggered on confirmed detections. MemoryDumper captures process memory for offline analysis. TimelineAnalyzer reconstructs the attack sequence from logs. NetworkCapture records network context around the incident.

Manages all communication between the Windows service, kernel driver, and future GUI. FilterConnection implements the FltPort user-mode side. AlertSystem routes detections to the notification subsystem. TelemetryCollector aggregates metrics for the telemetry pipeline.

Manages the ShadowStrike Phantom Windows service through the SCM. ServiceInstaller handles driver + service installation/removal. ServiceMonitor performs health checks and automatic restart. ServiceController exposes control commands.

Manages the full update lifecycle. SignatureUpdater fetches and applies definition updates. DeltaUpdater applies binary diffs to minimize download size. UpdateVerifier checks digital signatures before applying. RollbackManager allows reverting a bad update.

User-space complement to the kernel self-protection layer. CryptoManager provides AES-GCM and RSA-OAEP for IPC channel encryption. DigitalSignatureValidator enforces Authenticode on all loaded modules. TamperProtection monitors the service binary and configuration for unauthorized changes.

Safe, bounds-checked PE32/PE32+ parser. Extracts headers, sections, imports, exports, resources, and Authenticode information. SafeReader provides memory-safe field access to prevent parser exploitation. PEValidation enforces structural integrity before deeper analysis.

Custom B-tree based signature database with YARA rule integration. Supports batch import, COW (copy-on-write) updates, and incremental index maintenance. SignatureBuilder constructs binary signature records from threat intelligence feeds.

High-performance hash reputation database. Bloom filter provides O(1) negative lookups that eliminate most disk access. Memory-mapped file backend enables zero-copy hash queries. Supports import/export of industry-standard hash feeds (NSRL, VT).

Multi-algorithm byte pattern matching engine. Aho-Corasick for multi-pattern simultaneous search. Boyer-Moore for single-pattern fast search. SIMD vectorized matching (SSE4.2 / AVX2) accelerates bulk scanning throughput.

In-house approximate file similarity engine built from scratch. Detects polymorphic and repacked malware variants that share structural similarity but differ in exact hash. TLSH (Trend Locality Sensitive Hash) is used as a supplementary 3rd-party library alongside the custom implementation.

Shared infrastructure used across all user-space modules. CryptoUtils provides AES/RSA/ECDSA and secure random generation. NetworkUtils covers HTTP/HTTPS, DNS, proxy, and IP utilities. ThreadPool manages user-space worker threads. Logger provides structured logging to file/ETW.