[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-75481":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":15,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":17,"rankGlobal":10,"rankLanguage":10,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":19,"hasPages":19,"topics":21,"createdAt":10,"pushedAt":10,"updatedAt":26,"readmeContent":27,"aiSummary":28,"trendingCount":15,"starSnapshotCount":15,"syncStatus":29,"lastSyncTime":30,"discoverSource":31},75481,"GhostLock","kimd155\u002FGhostLock","kimd155","SMB deny-share handle research tool. Lock files on an enterprise share with zero writes, zero encryption, and zero alerts in any behavioral defense. Standard user. One API call. No CVE.","https:\u002F\u002Fghostlock.io",null,"Python",128,20,53,0,82,52.17,"MIT License",false,"main",[22,23,24,25],"ransomware","red-team","smb","windows","2026-06-12 04:01:18","\u003Cdiv align=\"center\">\n\n\u003Cimg src=\"logo.png\">\n\n**SMB Deny-Share Handle Availability Research Tool**\n\n[![Python](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPython-3.9%2B-blue?style=flat-square&logo=python)](https:\u002F\u002Fpython.org)\n[![Platform](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPlatform-Windows-informational?style=flat-square&logo=windows)](https:\u002F\u002Fgithub.com\u002Fkimd155\u002Fghostlock)\n[![License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-green?style=flat-square)](LICENSE)\n[![Use](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FUse-Authorized%20Only-red?style=flat-square)](https:\u002F\u002Fgithub.com\u002Fkimd155\u002Fghostlock)\n[![Paper](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPaper-Zenodo-orange?style=flat-square)](https:\u002F\u002Fzenodo.org\u002Frecords\u002F20070064)\n[![Site](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FSite-ghostlock.io-cyan?style=flat-square)](https:\u002F\u002Fghostlock.io)\n\n*Ransomware-grade availability impact. Zero writes. Zero encryption. Zero traces in your SIEM.*\n\n[**Research Site**](https:\u002F\u002Fghostlock.io) · [**Whitepaper (PDF)**](https:\u002F\u002Fzenodo.org\u002Frecords\u002F20070064) · [**LinkedIn**](https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fkim-d-5b3114111\u002F)\n\n\u003C\u002Fdiv>\n\n---\n\n## Overview\n\nGhostLock demonstrates that a low-privileged Windows domain user with standard read access to an SMB share can produce **ransomware-equivalent organizational availability impact** with zero writes, zero encryption, and zero signals in every behavioral defense the modern enterprise security stack deploys.\n\nTwo techniques, one primitive:\n\n**v1 — File-level locking:** `CreateFileW` with `dwShareMode=0` across every file in a share. 32-thread parallel scanner. Hundreds of thousands of handles in minutes.\n\n**v2 — Directory-level locking:** `CreateFileW` with `dwShareMode=0` and `FILE_FLAG_BACKUP_SEMANTICS` on a directory object. One handle. One API call. The entire folder becomes a namespace blackout over SMB.\n\n**No CVE. No patch. No vulnerability.** Correct, documented Windows API behavior since Windows NT 3.1.\n\n---\n\n## Why This Changes Everything\n\n| Detection Signal | Encryption Ransomware | GhostLock |\n|---|---|---|\n| Bulk write I\u002FO | Detectable | **None** |\n| File rename \u002F new extension | Detectable | **None** |\n| Honey file triggered | Write to canary | **Read-open only** |\n| Behavioral AI (write rate) | Fires | **No writes** |\n| EDR on endpoint | Shellcode \u002F injection | **Looks like file indexer** |\n| DLP \u002F content inspection | Bulk read anomaly | **Indistinguishable from backup** |\n| Network traffic anomaly | Bulk SMB writes | **Identical to Word opening a doc** |\n| Storage session open-file count | Not relevant | **Only reliable signal** |\n\n---\n\n## v2 — Directory-Level Namespace Blackout\n\nOne handle on a directory subdirectory over SMB produces the following empirically confirmed results:\n\n| Operation | Local NTFS | Over SMB |\n|---|---|---|\n| Rename file inside dir | **Blocked** | **Blocked** |\n| **List directory contents** | Allowed | **Blocked** |\n| **Recursive copy \u002F backup** | Allowed | **Blocked** |\n| Open directory object | **Blocked** | **Blocked** |\n\nThe SMB server enforces directory exclusivity at the namespace level. `Get-ChildItem`, Explorer browsing, backup agents, and search indexers all fail. The directory becomes operationally invisible. Individual files at known paths remain accessible — what is destroyed is **discoverability**.\n\n---\n\n## Requirements\n\n- Windows 10 \u002F Server 2016 or later\n- Python 3.9+\n- Domain user account with read access to the target share\n- Sentinel file for v1 mode (see Safety)\n\nNo third-party packages. Pure Python stdlib.\n\n---\n\n## Installation\n\n```powershell\ngit clone https:\u002F\u002Fgithub.com\u002Fkimd155\u002Fghostlock.git\ncd ghostlock\n```\n\n---\n\n## Usage\n\n### Interactive Mode\n\n```powershell\npython ghostlock.py\n```\n\n```\n  Select mode:\n\n  [1]  Manual path     — paste a UNC path and lock all files\n  [2]  Auto-discover   — find shared folders on the network, pick which to lock\n  [3]  Directory lock  — lock an entire directory with a single handle (v2)\n  [q]  Quit\n```\n\n**Option 1** — file-level locking, 32-thread scanner, hundreds of thousands of handles:\n\n```\n  [?] Target UNC path  : \\\\fileserver\\share\\dept\n  [+] 4,819 handles acquired\n  [~] Holding ...   47s  |  4,819 files locked\n```\n\n**Option 2** — auto-discovers SMB shares, multi-select:\n\n```\n  [OK] \\\\server\\finance    12 files visible\n  [OK] \\\\server\\projects   84 files visible\n  Select : 1,2\n```\n\n**Option 3** — directory-level namespace blackout, one handle:\n\n```\n  [?] Target directory  : \\\\fileserver\\share\\finance\n  [+] Exclusive directory handle acquired!\n      Handle: 0x240\n  [~] Holding ...   12s  |  directory locked\n```\n\n### CLI Mode\n\n```powershell\n# File-level, indefinite hold\npython ghostlock.py \"\\\\server\\share\\path\" `\n    --existing-folder --confirm-existing-lock --hold-indefinite\n\n# Timed hold with victim simulation\npython ghostlock.py \"\\\\server\\share\\path\" `\n    --existing-folder --confirm-existing-lock `\n    --locks 256 --hold-seconds 120 --victims 16\n```\n\n---\n\n## Safety Mechanism\n\nFor file-level locking, a sentinel file must exist in the target directory:\n\n```powershell\nNew-Item -ItemType File \"\\\\server\\share\\targetfolder\\.ghostlock_authorized\"\n```\n\nDirectory-level locking (option 3) does not require a sentinel — it acquires one handle on a path you explicitly provide.\n\n---\n\n## Output\n\n```\nGhostLock_PoC_report_YYYYMMDD_HHMMSS\u002F\n    lock_impact_result.json\n    lock_impact_result.md\n    ghostlock_cache.json\n```\n\n---\n\n## Research\n\n> **\"GhostLock: SMB Deny-Share Handles as a Zero-Privilege Availability Weapon\"**\n> Kim Dvash, May 2026\n\n**Read the full paper:** [zenodo.org\u002Frecords\u002F20070064](https:\u002F\u002Fzenodo.org\u002Frecords\u002F20070064)\n\n**Research site:** [ghostlock.io](https:\u002F\u002Fghostlock.io)\n\n---\n\n## Authorized Use Only\n\n```\nTHIS TOOL IS FOR AUTHORIZED SECURITY TESTING AND RESEARCH ONLY.\n\nRunning GhostLock against any system or network without explicit\nwritten authorization from the system owner is illegal and unethical.\n```\n\n---\n\n## License\n\nMIT — see [LICENSE](LICENSE)\n\n---\n\n\u003Cdiv align=\"center\">\n\n**Kim Dvash** · [linkedin.com\u002Fin\u002Fkim-d-5b3114111](https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fkim-d-5b3114111\u002F) · [ghostlock.io](https:\u002F\u002Fghostlock.io)\n\n`dwShareMode = 0x00000000`\n\n\u003C\u002Fdiv>\n","GhostLock 是一个用于研究SMB共享拒绝处理的工具，能够以零写入、零加密和零行为防御警报的方式锁定企业共享文件。其核心功能包括文件级锁定（通过`CreateFileW` API调用并设置`dwShareMode=0`来锁定单个文件）和目录级锁定（使用`FILE_FLAG_BACKUP_SEMANTICS`标志锁定整个目录），后者仅需一次API调用来实现整个文件夹的命名空间封锁。该工具基于Python开发，专为Windows平台设计。GhostLock特别适用于红队演练或安全研究人员评估现有防御机制对新型攻击手法的有效性时使用，它展示了即使是标准权限用户也能造成类似勒索软件级别的可用性影响，而不会留下任何可被检测到的行为痕迹。",2,"2026-06-11 03:52:54","CREATED_QUERY"]