Securing Files via Lockdown: A Guide to Using GhostLock for Windows API File Blocking

Introduction

GhostLock is a proof-of-concept tool that demonstrates how a legitimate Windows file API can be used to prevent any process from opening a file, whether stored locally or on an SMB network share. This guide will walk you through using GhostLock to lock files, effectively blocking all read and write access until the lock is released. Intended for security researchers and IT professionals, this tool is for testing and educational purposes only. Misuse can disrupt system operations—always test in a controlled environment.

Securing Files via Lockdown: A Guide to Using GhostLock for Windows API File Blocking — Source: www.bleepingcomputer.com

What You Need

Windows 10 or 11 (64-bit recommended)
GhostLock source code (download from the researcher's GitHub repository)
Visual Studio Build Tools (or MinGW-w64) to compile the code
Administrator privileges on the target machine (some file operations require elevation)
Target file to lock (local path or UNC path for SMB)
Command Prompt or PowerShell (run as Administrator)

Step-by-Step Instructions

Step 1: Download GhostLock – Visit the official GhostLock repository (e.g., on GitHub) and download the source code as a ZIP archive, or clone it using git clone <repository-url>. Extract the files if needed.
Step 2: Compile the Tool – Open a Developer Command Prompt for Visual Studio (or use MinGW). Navigate to the extracted folder and run cl /nologo /O2 /W4 ghostlock.c (for Visual Studio) or gcc -o ghostlock.exe ghostlock.c -ladvapi32 (for MinGW). Ensure the build succeeds—you should now have ghostlock.exe in the same directory.
Step 3: Verify Requirements – Right-click your Command Prompt shortcut and select Run as administrator if not already elevated. Check that the target file exists and that you have read permissions on it. For SMB shares, ensure network credentials are available.
Step 4: Lock a File – Execute the following syntax: ghostlock.exe <path-to-file> (e.g., ghostlock.exe C:\test\secret.docx). If the file is on an SMB share, use its UNC path: ghostlock.exe \\server\share\file.txt. The tool will attempt to open the file with zero sharing mode (dwShareMode = 0), preventing any other handle from accessing it.
Step 5: Confirm the Lock – While GhostLock is running, try to open the locked file with another program (e.g., Notepad, Word, or a file manager). You should receive an error like “The process cannot access the file because it is being used by another process.” This confirms the lock is active.
Step 6: Release the Lock – To unlock the file, you must terminate the GhostLock process. Press Ctrl+C in the command window where GhostLock is running, or use Task Manager to end the ghostlock.exe process. After termination, the file will be accessible again.

Tips for Safe and Effective Use

Always test on non-critical files first. GhostLock can cause applications to hang if they depend on the locked file. Use disposable files in a sandbox environment.
Use with caution on SMB shares. Locking a file on a network share affects all users connected to that share. Notify others before testing.
Keep the source code handy. You can modify the tool to support a timeout or auto-release feature by adding a simple Sleep() and close handle call.
Monitor Task Manager. If GhostLock crashes or the process is orphaned, you may need to use a tool like Handle from Sysinternals (or Process Explorer) to find and close the handle manually.
Combine with other security research. Use GhostLock to simulate ransomware-like behavior or to test your file access monitoring solutions.
Update Windows and Antivirus. Some security software may detect GhostLock as malicious—ensure you have an exclusion rule if you plan to use it frequently.

Tags:

Securing Files via Lockdown: A Guide to Using GhostLock for Windows API File Blocking

Introduction

What You Need

Step-by-Step Instructions

Tips for Safe and Effective Use

Related Articles

Recommended

Discover More