Pre-requisites The following are some pre-requisites, which will help you to enjoy this blog even more Knowledge about C# Knowledge about the PE structure Familiarity with WinDbg Little knowledge about SysInternals Introduction A few months back, I came to know about a PE image tampering method called Process Ghosting. It is very similar to Process Doppelgänging and Process Herpaderping. The difference is that in case of Process Doppelgänging, the PE image created will be in a Transacted State, while in case of Process Ghosting the PE Image will be in Delete Pending state.