GoKawiilA security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares.
This technique, created by Kim Dvash of Israel Aerospace Industries, abuses the Windows 'CreateFileW' API and file-sharing modes to prevent other users and applications from opening files while handles remain active.
The GhostLock technique abuses the 'dwShareMode' parameter in the CreateFileW() function, which specifies the type of access other processes have to a file while it is opened.
When a file is opened with ' dwShareMode = 0 `, Windows grants the process exclusive access to the file, preventing other users or applications from opening it.
For example, the following code will open the finance.xlsx file in exclusive mode, preventing any other process from accessing it.
HANDLE hFile = CreateFileW( L"\\\\server\\share\\finance.xlsx", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
When attempting to do so, Windows will display the following 'STATUS_SHARING_VIOLATION' error instead.
Windows file sharing error
Source: Kim Dvash
The researcher has published a GhostLock tool on GitHub that automates this attack by recursively opening a large number of files on SMB shares. While these file handles are open, new attempts to access the files will fail with sharing violations.
... continue reading