GhostLock Tool Exploits Windows API to Block File Access
▼ Summary
– A security researcher released GhostLock, a proof-of-concept tool that abuses the Windows ‘CreateFileW’ API to block access to files on local drives or SMB shares.
– The technique uses the ‘dwShareMode’ parameter set to 0 to grant exclusive file access, preventing other users or applications from opening the file.
– GhostLock automates the attack by recursively opening many files on SMB shares, causing sharing violations for other access attempts.
– The attack is a disruption-based denial-of-service technique, not destructive like ransomware, but could serve as a decoy during intrusions.
– Detection is challenging because the attack generates legitimate file open requests, with the only reliable observable being the per-session open-file count with ShareAccess=0 at the file server layer.
A security researcher has released a proof-of-concept tool called GhostLock that demonstrates how a legitimate Windows file API can be exploited to block access to files stored locally or on SMB network shares. The technique, developed by Kim Dvash of Israel Aerospace Industries, abuses the Windows CreateFileW API and its file-sharing modes to prevent other users and applications from opening files while handles remain active.
The GhostLock method specifically targets the `dwShareMode` parameter within the `CreateFileW()` function. This parameter controls the type of access other processes can have to a file while it is open. By setting `dwShareMode = 0`, a process gains exclusive access to the file, locking out all other users and applications. For instance, the code `HANDLE hFile = CreateFileW( L”\\\\server\\share\\finance.xlsx”, GENERICREAD, 0, NULL, OPENEXISTING, FILEATTRIBUTENORMAL, NULL );` would open the `finance.xlsx` file exclusively. Any subsequent attempt to access it triggers a STATUSSHARINGVIOLATION error in Windows.
Dvash has published the GhostLock tool on GitHub, which automates this attack by recursively opening a large number of files on SMB shares. While these file handles remain open, new access attempts fail with sharing violations. Notably, the tool can be run by standard domain users without elevated privileges. The attack’s impact intensifies if an attacker deploys it from multiple compromised devices simultaneously, continuously reacquiring file handles as previous processes terminate.
However, the disruption is temporary. Once the associated SMB session ends, GhostLock processes are killed, or the affected system reboots, Windows automatically closes the handles, restoring file access. Dvash told BleepingComputer that the technique is best classified as a disruption attack, not a destructive one like ransomware. “Yes, the impact is disruption-based, not destructive. The parallel to ransomware is the operational downtime window, not data loss,” he explained.
While GhostLock functions as a denial-of-service technique, it could serve as a strategic decoy during intrusions. Attackers might use widespread file-access disruptions to overwhelm IT staff while conducting data theft, lateral movement, or other malicious activities elsewhere in the environment. Dvash notes that many security products and behavioral detection systems focus on detecting mass file writes or encryption operations. GhostLock primarily generates large numbers of legitimate file open requests, making it less likely to trigger alarms.
“The only observable that reliably identifies this attack is the per-session open-file count with ShareAccess = 0 at the file server layer , a metric that lives inside storage platform management interfaces, not in Windows event logs, not in EDR telemetry, not in network flow data,” Dvash explains. To help defenders, the researcher has included SIEM queries and an NDR detection rule in the GhostLock whitepaper, providing a template for identifying such attacks.
(Source: BleepingComputer)
