ShadowSnare brings state-of-the-art neural detection to Windows memory forensics, scanning dump files offline to find hidden malware and explaining each verdict through a streamlined PyQt6 interface.
- π§ Memory Dump Pipeline β Acquire with WinPmem, extract behavioral features via Volatility3, and detect malicious activity directly from RAM images.
- π€ Deep Learning Integration β TensorFlow/Keras model trained with the CIC-MalMem-2022 dataset for high-accuracy, on-device inference.
- π Explainability for Analysts β SHAP per-sample factors, plus confusion matrix and misclassified entries for deeper validation.
- π₯οΈ Modern Windows UI β PyQt6 desktop app for Windows 10+ with clean, responsive views (Home Β· User Β· Dev Β· Settings).
- π Offline by Design β All analysis runs locally; no cloud services or data egress.
Full ShadowSnare Demo Playlist
- Windows 10+ (64-bit)
- Python 3.10.x (64-bit)
- pip
- (For dump creation) WinPmem at C:\winpmem\winpmem.exe
# 1) Clone the repository
git clone https://github.com/TeamShadowSnare/ShadowSnare-app.git
cd ShadowSnare
# 2) Create & activate a virtual environment
python -m venv .venv
.\.venv\Scripts\activate
# 3) Install dependencies
pip install -r requirements.txt
# 4) (Once) Place WinPmem for memory acquisition
# Download β rename to winpmem.exe β put at C:\winpmem\winpmem.exe
# 5) Run the app (use an elevated terminal if youβll create a dump)
python main.py- Launch ShadowSnare
- If you plan to create a memory dump, open your terminal/IDE as Administrator.
- (Recommended) Set default paths
- Go to Settings and choose directories for Dump, CSV, and Analysis.
- Open User Mode from the sidebar and follow the flow:
- π§ Create Memory Dump (Admin + WinPmem required)
- π Extract Features to CSV (runs Volatility3; produces
output.csv) - π Upload & Analyze CSV (use the new CSV or pick an existing one)
- Review results
- Summary & status (clean / malware found)
- SHAP explanations (click βView explanationβ to open the popup)
βΉοΈ Deeper analysis (optional): Switch to Dev Mode to see a Confusion Matrix, Misclassified samples, raw Data preview, and detailed Explainability for labeled CSVs (
Benign/Malwarein the first column).
- Rani Izsack β Project Supervisor
- Amos Zohar β Data Acquisition, Feature Extraction, UI Development
- Gal Havshush β Machine Learning Specialist, UI Development
- Ortal Nissim β Machine Learning Specialist, UI Development
- CIC-MalMem-2022 Dataset - Benchmark dataset used for model training and evaluation.
- WinPmem β Memory acquisition tool used for dump creation.
- Volatility β Memory forensics framework used for feature extraction.
- CIC-MalMem-2022 Dataset - reference for how several memory-forensics features were originally derived.creation.