New GhostLock tool abuses Windows API to block file access

Summary

Kim Dvash of Israel Aerospace Industries has published GhostLock, a proof-of-concept tool that demonstrates how the Windows CreateFileW API can be abused to block access to local and SMB network files by opening them in exclusive mode. The technique operates at the file-sharing level using dwShareMode=0 parameter to prevent other processes from accessing files while handles remain active, requiring no elevated privileges and evading typical detection methods. Once the SMB session terminates or processes are killed, access is automatically restored, making this primarily a disruption-based denial-of-service attack that could serve as a decoy during intrusions to distract IT staff while attackers conduct data theft or lateral movement.

Full text

New GhostLock tool abuses Windows API to block file access By Lawrence Abrams May 11, 2026 06:02 PM 0 A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares. This technique, created by Kim Dvash of Israel Aerospace Industries, abuses the Windows 'CreateFileW' API and file-sharing modes to prevent other users and applications from opening files while handles remain active. The GhostLock technique abuses the 'dwShareMode' parameter in the CreateFileW() function, which specifies the type of access other processes have to a file while it is opened. When a file is opened with 'dwShareMode = 0`, Windows grants the process exclusive access to the file, preventing other users or applications from opening it. For example, the following code will open the finance.xlsx file in exclusive mode, preventing any other process from accessing it. HANDLE hFile = CreateFileW( L"\\\\server\\share\\finance.xlsx", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); When attempting to do so, Windows will display the following 'STATUS_SHARING_VIOLATION' error instead. Windows file sharing errorSource: Kim Dvash The researcher has published a GhostLock tool on GitHub that automates this attack by recursively opening a large number of files on SMB shares. While these file handles are open, new attempts to access the files will fail with sharing violations. The tool can be run by "standard" domain users, and does not need any elevated privileges to lock files. This is further compounded if an attacker launches the attack from multiple compromised devices simultaneously, while continuously reacquiring file handles as previous processes are terminated. However, once the associated SMB session is terminated, the GhostLock processes are killed, or the affected system is rebooted, Windows automatically closes the handles, and access to the files is restored. Dvash told BleepingComputer that the technique should be viewed primarily as a disruption attack rather than a destructive one, like ransomware. "Yes, the impact is disruption-based, not destructive. The parallel to ransomware is the operational downtime window, not data loss," Dvash told BleepingComputer. While this attack is more akin to a denial-of-service technique, it could be useful as a decoy during intrusions. Attackers could use widespread file-access disruptions to overwhelm IT staff while conducting data theft, lateral movement, or other malicious activity elsewhere in the environment. The researcher says that many security products and behavioral detection systems focus on detecting mass file writes or encryption operations. GhostLock primarily generates large numbers of legitimate file open requests, making it less likely to be detected. "The only observable that reliably identifies this attack is the per-session open-file count with ShareAccess = 0 at the file server layer — a metric that lives inside storage platform management interfaces, not in Windows event logs, not in EDR telemetry, not in network flow data," explains Dvash. The researcher has shared SIEM queries and an NDR detection rule in the GhostLock whitepaper that IT teams and defenders can use as a template for detections. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: JDownloader site hacked to replace installers with Python RAT malwareMicrosoft confirms April Windows updates cause backup failuresMicrosoft now lets admins choose pre-installed Store apps to uninstallMicrosoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dhaApril KB5083769 Windows 11 update causes backup software failures

Indicators of Compromise

• malware — GhostLock

Entities