kimd155/GhostLock: **SMB Deny-Share Handle Availability Research Tool**

SMB Deny-Share Handle Availability Research Tool

Ransomware-grade availability impact. Zero writes. Zero encryption. Zero traces in your SIEM.

Research Site · Whitepaper (PDF) · LinkedIn

Overview

GhostLock demonstrates that a low-privileged Windows domain user with standard read access to an SMB share can produce ransomware-equivalent organizational availability impact with zero writes, zero encryption, and zero signals in every behavioral defense the modern enterprise security stack deploys.

Two techniques, one primitive:

v1 — File-level locking: CreateFileW with dwShareMode=0 across every file in a share. 32-thread parallel scanner. Hundreds of thousands of handles in minutes.

v2 — Directory-level locking: CreateFileW with dwShareMode=0 and FILE_FLAG_BACKUP_SEMANTICS on a directory object. One handle. One API call. The entire folder becomes a namespace blackout over SMB.

No CVE. No patch. No vulnerability. Correct, documented Windows API behavior since Windows NT 3.1.

Why This Changes Everything

v2 — Directory-Level Namespace Blackout

One handle on a directory subdirectory over SMB produces the following empirically confirmed results:

The SMB server enforces directory exclusivity at the namespace level. Get-ChildItem, Explorer browsing, backup agents, and search indexers all fail. The directory becomes operationally invisible. Individual files at known paths remain accessible — what is destroyed is discoverability.

Requirements

• Windows 10 / Server 2016 or later
• Python 3.9+
• Domain user account with read access to the target share
• Sentinel file for v1 mode (see Safety)

No third-party packages. Pure Python stdlib.

Installation

git clone https://github.com/kimd155/ghostlock.git
cd ghostlock

Usage

Interactive Mode

python ghostlock.py

  Select mode:

  [1]  Manual path     — paste a UNC path and lock all files
  [2]  Auto-discover   — find shared folders on the network, pick which to lock
  [3]  Directory lock  — lock an entire directory with a single handle (v2)
  [q]  Quit

Option 1 — file-level locking, 32-thread scanner, hundreds of thousands of handles:

  [?] Target UNC path  : \\fileserver\share\dept
  [+] 4,819 handles acquired
  [~] Holding ...   47s  |  4,819 files locked

Option 2 — auto-discovers SMB shares, multi-select:

  [OK] \\server\finance    12 files visible
  [OK] \\server\projects   84 files visible
  Select : 1,2

Option 3 — directory-level namespace blackout, one handle:

  [?] Target directory  : \\fileserver\share\finance
  [+] Exclusive directory handle acquired!
      Handle: 0x240
  [~] Holding ...   12s  |  directory locked

CLI Mode

python ghostlock.py "\\server\share\path" `
    --existing-folder --confirm-existing-lock --hold-indefinite

# Timed hold with victim simulation
python ghostlock.py "\\server\share\path" `
    --existing-folder --confirm-existing-lock `
    --locks 256 --hold-seconds 120 --victims 16

Safety Mechanism

For file-level locking, a sentinel file must exist in the target directory:

New-Item -ItemType File "\\server\share\targetfolder\.ghostlock_authorized"

Directory-level locking (option 3) does not require a sentinel — it acquires one handle on a path you explicitly provide.

Output

GhostLock_PoC_report_YYYYMMDD_HHMMSS/
    lock_impact_result.json
    lock_impact_result.md
    ghostlock_cache.json

Research

"GhostLock: SMB Deny-Share Handles as a Zero-Privilege Availability Weapon" Kim Dvash, May 2026

Read the full paper: zenodo.org/records/20070064

Research site: ghostlock.io

Authorized Use Only

THIS TOOL IS FOR AUTHORIZED SECURITY TESTING AND RESEARCH ONLY.

Running GhostLock against any system or network without explicit
written authorization from the system owner is illegal and unethical.