// Ghost Process Evasion Masterclass
Master PE injection via delete-pending files. Learn how Windows creates processes from image sections, exploit the delete-pending file state to create processes from ghosted images that AV/EDR cannot scan, and understand the full evolution from Process Hollowing to Ghosting. Discovered by Gabriel Landau (Elastic Security), with a proof-of-concept implementation by hasherezade.
NtCreateProcessEx, how Windows creates processes from image sections, the file-backed section requirement, and the kernel’s view of process birth.
02 BeginnerProcess Hollowing, Doppelgänging, Herpaderping, and Ghosting — the evolution of PE image tampering and the differences between each technique.
03 BeginnerFILE_DELETE_ON_CLOSE, NtSetInformationFile with FileDispositionInformation, what delete-pending means for mapped files, and NTFS file state transitions.
04 IntermediateNtCreateFile with FILE_SUPERSEDE, writing the payload PE, marking delete-pending via NtSetInformationFile, and the resulting file state.
05 IntermediateNtCreateSection with SEC_IMAGE from the delete-pending handle, IMAGE_SECTION_OBJECT creation, and why the section persists after file deletion.
06 IntermediateNtCreateProcessEx with the section handle, PEB parameter setup, RTL_USER_PROCESS_PARAMETERS, NtCreateThreadEx, and launching the ghosted process.
07 AdvancedWhen AV scans occur (file create, section map, process create), why ghosting bypasses all three inspection points, and kernel callback analysis.
08 AdvancedComplete ghosting flow, detection via NtQueryInformationProcess, file object state inspection, comparison with Doppelgänging and Herpaderping.
Discoverer and documenter of the Process Ghosting techniquegithub.com/hasherezade/process_ghostinggithub.com/jxy-s/herpaderpingTal Liberman & Eugene Kogan, enSilogithub.com/daem0nc0re/TangledWinExecProcess creation internals, section objects, NTFS file statesGabriel Landau’s Process Ghosting disclosure and detection analysis