explaingit

blacksnufkin/credshunter

Analysis updated 2026-05-18

17RustAudience · researcherSetup · moderate

TLDR

A proof of concept exploit for a disclosed Windows anti-cheat driver vulnerability, CVE-2026-3609, that dumps login credentials from LSASS via a kernel handle leak.

Mindmap

mindmap
  root((repo))
    What it does
      CVE proof of concept
      LSASS credential dump
      Kernel handle leak
    Technique
      BYOVD
      PPL bypass
      Signed vulnerable driver
    Tech stack
      Rust
      Windows kernel
    Audience
      Security researchers
      Defenders

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study and reproduce a documented BYOVD credential-dumping technique for security research.

USE CASE 2

Build detection rules for defenders to catch this specific driver-abuse attack pattern.

USE CASE 3

Verify whether a signed driver in your environment matches the vulnerable xhunter1.sys build.

What is it built with?

RustWindows

How does it compare?

blacksnufkin/credshunteratelico/gdstyleathxrvx/spear
Stars171717
LanguageRustRustRust
Setup difficultymoderateeasymoderate
Complexity2/52/5
Audienceresearcherdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Rust to build and a Windows test machine you are authorized to load a vulnerable signed driver on.

In plain English

CredsHunter is a proof of concept security tool built to demonstrate a specific, publicly disclosed vulnerability, tracked as CVE-2026-3609, in a Windows anti-cheat driver called xhunter1.sys made by Wellbia's XIGNCODE3 system. The README explains that this driver exposes a command interface with a bug: it hands out a powerful, kernel level handle to any process that asks for it, without properly checking whether the caller is allowed to have it. Because that handle bypasses Windows' Protected Process Light security feature, it lets the tool read the memory of a protected system process called LSASS, which normally guards Windows login credentials. Once it has that access, the tool locates and decrypts the encryption keys LSASS uses internally, then walks through the list of currently logged in user sessions to recover their password hashes. The README documents this process in detail, including the exact commands sent to the vulnerable driver and the exact memory offsets used to find the credential data. This is what security researchers call a Bring Your Own Vulnerable Driver, or BYOVD, technique: rather than exploiting Windows itself, an attacker installs a legitimate, digitally signed but flawed driver and abuses its bug. The vulnerable driver file itself is included in the repository so the proof of concept can be reproduced end to end, along with its file hash so anyone downloading it can confirm it matches the original. The author, who also wrote a public technical writeup of the vulnerability, includes a clear disclaimer that this tool is meant only for authorized security research and testing, and that loading the vulnerable driver on a system without permission is illegal in most places. The project is written in Rust. This repository is intended for security researchers and defenders who want to understand and detect this specific attack technique, not for casual users.

Copy-paste prompts

Prompt 1
Explain how this proof of concept bypasses Protected Process Light to read LSASS memory.
Prompt 2
Walk me through how the BYOVD technique in this repo works step by step.
Prompt 3
Help me write detection logic for security tooling to catch this specific driver abuse pattern.

Frequently asked questions

What is credshunter?

A proof of concept exploit for a disclosed Windows anti-cheat driver vulnerability, CVE-2026-3609, that dumps login credentials from LSASS via a kernel handle leak.

What language is credshunter written in?

Mainly Rust. The stack also includes Rust, Windows.

How hard is credshunter to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is credshunter for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.