Analysis updated 2026-05-18
Study and reproduce a documented BYOVD credential-dumping technique for security research.
Build detection rules for defenders to catch this specific driver-abuse attack pattern.
Verify whether a signed driver in your environment matches the vulnerable xhunter1.sys build.
| blacksnufkin/credshunter | atelico/gdstyle | athxrvx/spear | |
|---|---|---|---|
| Stars | 17 | 17 | 17 |
| Language | Rust | Rust | Rust |
| Setup difficulty | moderate | easy | moderate |
| Complexity | — | 2/5 | 2/5 |
| Audience | researcher | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Rust to build and a Windows test machine you are authorized to load a vulnerable signed driver on.
CredsHunter is a proof of concept security tool built to demonstrate a specific, publicly disclosed vulnerability, tracked as CVE-2026-3609, in a Windows anti-cheat driver called xhunter1.sys made by Wellbia's XIGNCODE3 system. The README explains that this driver exposes a command interface with a bug: it hands out a powerful, kernel level handle to any process that asks for it, without properly checking whether the caller is allowed to have it. Because that handle bypasses Windows' Protected Process Light security feature, it lets the tool read the memory of a protected system process called LSASS, which normally guards Windows login credentials. Once it has that access, the tool locates and decrypts the encryption keys LSASS uses internally, then walks through the list of currently logged in user sessions to recover their password hashes. The README documents this process in detail, including the exact commands sent to the vulnerable driver and the exact memory offsets used to find the credential data. This is what security researchers call a Bring Your Own Vulnerable Driver, or BYOVD, technique: rather than exploiting Windows itself, an attacker installs a legitimate, digitally signed but flawed driver and abuses its bug. The vulnerable driver file itself is included in the repository so the proof of concept can be reproduced end to end, along with its file hash so anyone downloading it can confirm it matches the original. The author, who also wrote a public technical writeup of the vulnerability, includes a clear disclaimer that this tool is meant only for authorized security research and testing, and that loading the vulnerable driver on a system without permission is illegal in most places. The project is written in Rust. This repository is intended for security researchers and defenders who want to understand and detect this specific attack technique, not for casual users.
A proof of concept exploit for a disclosed Windows anti-cheat driver vulnerability, CVE-2026-3609, that dumps login credentials from LSASS via a kernel handle leak.
Mainly Rust. The stack also includes Rust, Windows.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.