How does GhostWebShell from ysoserial.net improve upon the basic virtual file webshell?

GhostWebShell eliminates the dependency on a physical trigger file by combining the virtual file technique with .NET deserialization. Instead of relying on a real `.aspx` file, it uses a crafted `ViewState` payload (via a known `machineKey`) to trigger the creation of the virtual path provider and the webshell during the page lifecycle. This makes the webshell completely fileless on disk—the virtual file is created in memory—significantly increasing stealth. The approach is particularly effective in Exchange environments where attackers can modify `web.config` to set a known `machineKey` for deserialization.