Industrial Control System (ICS) security has become increasingly important as attacks targeting ICSs are more prominent. Although many off-the-shelf industrial network intrusion detection mechanisms have been presented in the past, attackers have always found unique disguisable ways to bypass detections and disrupt actual industrial control processes. To mitigate this deficiency, we present a novel scheme for the detection of industrial process control attacks, called <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">ShadowPLCs</small> . Specifically, the scheme first automatically analyzes the PLC control code, then extracts key parameters of the PLCs including valid register addresses, valid range of values, and control logic rules as a basis for evaluating attacks. The attack behavior is detected in real-time from different perspectives through active communication with PLCs and passive monitoring of the network traffic. We implemented a prototype system with Siemens S7-300 series PLCs as a case study. Our scheme was evaluated using two Siemens S7-300 PLCs deployed on a gas pipeline network platform. Experiments demonstrate that the presented scheme can accurately detect process control attacks in real-time without affecting the normal operations of PLCs. Compared with the other four representative detection models, our scheme has better detection performance with detection accuracy of 97.3 percent.