A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares.

This technique, created by Kim Dvash of Israel Aerospace Industries, abuses the Windows ‘CreateFileW’ API and file-sharing modes to prevent other users and applications from opening files while handles remain active.

The GhostLock technique abuses the ‘dwShareMode’ parameter in the CreateFileW function, which specifies the type of access other processes have to a file while it is opened.