← Back to Dashboard

ProcessGhosting

// Ghost Process Evasion Masterclass

8
Modules
C++
Language
x64
Architecture
3
Difficulty Tiers

Master PE injection via delete-pending files. Learn how Windows creates processes from image sections, exploit the delete-pending file state to create processes from ghosted images that AV/EDR cannot scan, and understand the full evolution from Process Hollowing to Ghosting. Discovered by Gabriel Landau (Elastic Security), with a proof-of-concept implementation by hasherezade.

01 Beginner

Process Creation Internals

NtCreateProcessEx, how Windows creates processes from image sections, the file-backed section requirement, and the kernel’s view of process birth.

02 Beginner

PE Tampering Techniques Overview

Process Hollowing, Doppelgänging, Herpaderping, and Ghosting — the evolution of PE image tampering and the differences between each technique.

03 Beginner

File System States & Delete-Pending

FILE_DELETE_ON_CLOSE, NtSetInformationFile with FileDispositionInformation, what delete-pending means for mapped files, and NTFS file state transitions.

04 Intermediate

Creating the Ghost File

NtCreateFile with FILE_SUPERSEDE, writing the payload PE, marking delete-pending via NtSetInformationFile, and the resulting file state.

05 Intermediate

Section Mapping from Ghost

NtCreateSection with SEC_IMAGE from the delete-pending handle, IMAGE_SECTION_OBJECT creation, and why the section persists after file deletion.

06 Intermediate

Process & Thread Creation

NtCreateProcessEx with the section handle, PEB parameter setup, RTL_USER_PROCESS_PARAMETERS, NtCreateThreadEx, and launching the ghosted process.

07 Advanced

AV/EDR Scan Timing Window

When AV scans occur (file create, section map, process create), why ghosting bypasses all three inspection points, and kernel callback analysis.

08 Advanced

Full Chain, Detection & Comparison

Complete ghosting flow, detection via NtQueryInformationProcess, file object state inspection, comparison with Doppelgänging and Herpaderping.

References & Resources