← Docs
Recipe

Shadow System

A resilient secondary process that monitors the primary loader and restores integrity when tampering is detected.

Architecture

Primary (loader.exe)
  ├── spawns Shadow (shadow.exe)
  ├── heartbeat via named pipe
  └── on death → Shadow restores

Shadow (shadow.exe)
  ├── watches Primary PID
  ├── verifies Primary .text hash
  └── re-injects payload on mismatch

Heartbeat Protocol

Primary writes a monotonic counter to a named pipe every 500ms. Shadow reads with a 2s timeout. Two consecutive misses trigger restoration.

Pipe: \\.\pipe\MeridianShadow
Frame: [seq:u32][timestamp:u64]
Timeout: 2000ms
Threshold: 2 misses

Integrity Verification

Shadow computes a SHA-256 hash of the Primary's in-memory .text section and compares it against a compile-time baseline embedded in its own resources.

1. OpenProcess(PROCESS_VM_READ, PID)
2. Read .text VA range from PEB→Ldr
3. SHA-256 over raw bytes
4. Compare to embedded digest
5. Mismatch → kill Primary → relaunch

Anti-Tamper Pairing

Both processes exchange Ed25519 public keys at startup. Heartbeat frames are signed. An unsigned or invalid frame is treated as a miss.

Note: Shadow runs as a separate process to avoid sharing address space with the Primary. If the Primary is terminated, Shadow survives and restores state.

← Loader CoreAnti-Debug →