SMB Deny-Share Handle Availability Research Tool
Ransomware-grade availability impact. Zero writes. Zero encryption. Zero traces in your SIEM.
GhostLock demonstrates that a low-privileged Windows domain user with standard read access to an SMB share can produce ransomware-equivalent organizational availability impact with zero writes, zero encryption, and zero signals in every behavioral defense the modern enterprise security stack deploys.
Two techniques, one primitive:
v1 — File-level locking: CreateFileW with dwShareMode=0 across every file in a share. 32-thread parallel scanner. Hundreds of thousands of handles in minutes.
v2 — Directory-level locking: CreateFileW with dwShareMode=0 and FILE_FLAG_BACKUP_SEMANTICS on a directory object. One handle. One API call. The entire folder becomes a namespace blackout over SMB.
No CVE. No patch. No vulnerability. Correct, documented Windows API behavior since Windows NT 3.1.
| Detection Signal | Encryption Ransomware | GhostLock |
|---|---|---|
| Bulk write I/O | Detectable | None |
| File rename / new extension | Detectable | None |
| Honey file triggered | Write to canary | Read-open only |
| Behavioral AI (write rate) | Fires | No writes |
| EDR on endpoint | Shellcode / injection | Looks like file indexer |
| DLP / content inspection | Bulk read anomaly | Indistinguishable from backup |
| Network traffic anomaly | Bulk SMB writes | Identical to Word opening a doc |
| Storage session open-file count | Not relevant | Only reliable signal |
One handle on a directory subdirectory over SMB produces the following empirically confirmed results:
| Operation | Local NTFS | Over SMB |
|---|---|---|
| Rename file inside dir | Blocked | Blocked |
| List directory contents | Allowed | Blocked |
| Recursive copy / backup | Allowed | Blocked |
| Open directory object | Blocked | Blocked |
The SMB server enforces directory exclusivity at the namespace level. Get-ChildItem, Explorer browsing, backup agents, and search indexers all fail. The directory becomes operationally invisible. Individual files at known paths remain accessible — what is destroyed is discoverability.
- Windows 10 / Server 2016 or later
- Python 3.9+
- Domain user account with read access to the target share
- Sentinel file for v1 mode (see Safety)
No third-party packages. Pure Python stdlib.
git clone https://github.com/kimd155/ghostlock.git
cd ghostlockpython ghostlock.py Select mode:
[1] Manual path — paste a UNC path and lock all files
[2] Auto-discover — find shared folders on the network, pick which to lock
[3] Directory lock — lock an entire directory with a single handle (v2)
[q] Quit
Option 1 — file-level locking, 32-thread scanner, hundreds of thousands of handles:
[?] Target UNC path : \\fileserver\share\dept
[+] 4,819 handles acquired
[~] Holding ... 47s | 4,819 files locked
Option 2 — auto-discovers SMB shares, multi-select:
[OK] \\server\finance 12 files visible
[OK] \\server\projects 84 files visible
Select : 1,2
Option 3 — directory-level namespace blackout, one handle:
[?] Target directory : \\fileserver\share\finance
[+] Exclusive directory handle acquired!
Handle: 0x240
[~] Holding ... 12s | directory locked
# File-level, indefinite hold
python ghostlock.py "\\server\share\path" `
--existing-folder --confirm-existing-lock --hold-indefinite
# Timed hold with victim simulation
python ghostlock.py "\\server\share\path" `
--existing-folder --confirm-existing-lock `
--locks 256 --hold-seconds 120 --victims 16For file-level locking, a sentinel file must exist in the target directory:
New-Item -ItemType File "\\server\share\targetfolder\.ghostlock_authorized"Directory-level locking (option 3) does not require a sentinel — it acquires one handle on a path you explicitly provide.
GhostLock_PoC_report_YYYYMMDD_HHMMSS/
lock_impact_result.json
lock_impact_result.md
ghostlock_cache.json
"GhostLock: SMB Deny-Share Handles as a Zero-Privilege Availability Weapon" Kim Dvash, May 2026
Read the full paper: zenodo.org/records/20070064
Research site: ghostlock.io
THIS TOOL IS FOR AUTHORIZED SECURITY TESTING AND RESEARCH ONLY.
Running GhostLock against any system or network without explicit
written authorization from the system owner is illegal and unethical.
MIT — see LICENSE
Kim Dvash · linkedin.com/in/kim-d-5b3114111 · ghostlock.io
dwShareMode = 0x00000000