PhantomFS is a tool designed to manipulate file access based on the process trying to read them. It uses a ProjFS provider to serve files whose content changes depending on the requesting process. The payload is encrypted using AES-256-CBC and stored on disk, but it decrypts in memory only for allowed processes. This design aims to evade endpoint detection and response (EDR) systems, as unauthorized processes will face access denial. Analysts may find this frustrating since their tools might either fail to read the files or load a decoy instead. To set up PhantomFS, users generate a key with `PhantomFS.exe -keygen`, encrypt a payload using `PhantomFS.exe -encrypt`, and then serve it with a specific command that includes a decoy file. For example, when serving a payload like mimikatz, the tool presents a benign file (like calc.exe) to non-allowed processes, while allowed processes receive the actual payload. The tool blocks delete or rename operations from unauthorized processes, ensuring that the payload remains secure. The implementation requires Visual Studio 2022 for building the application, along with the Windows SDK for necessary ProjFS libraries. Users must enable the ProjFS feature in Windows, which requires administrative rights. The software operates at medium integrity, meaning it doesn't need elevated permissions to run. The ProjFS callbacks track process access, ensuring the right bytes are served while maintaining the integrity of the payload throughout multiple reads.