Bypass Record
Exploitation for Priv-Esc × Wellbia.com Co., Ltd. XIGNCODE3 (xhunter1.sys)
A publicly-reported instance of Exploitation for Priv-Esc bypassing Wellbia.com Co., Ltd. XIGNCODE3 (xhunter1.sys), recorded with its original source. Factual record; no assessment of any specific deployment.
Reported as
The driver's IRP_MJ_WRITE handler for command 785 calls ObOpenObjectByPointer with KernelMode access mode, bypassing access checks, and omits OBJ_KERNEL_HANDLE, placing the handle in the caller's process handle table.
Mechanism
The driver exposes a command interface via WriteFile. Command 785 takes a target PID and desired access mask from the request, looks up the process object, and calls ObOpenObjectByPointer with AccessMode=KernelMode and HandleAttributes=0. This bypasses security checks and returns a handle with the requested access (up to PROCESS_ALL_ACCESS) directly to the calling user-mode process, because OBJ_KERNEL_HANDLE is not set. The driver device is created with default ACL, allowing any process to open it without privileges.
Detection & mitigation
Monitor for suspicious handle requests to lsass.exe (e.g., PROCESS_ALL_ACCESS) from non-system processes via Sysmon Event ID 10 (ProcessAccess) or Event ID 4656 (Handle to an Object). Mitigation: apply vendor patch, restrict driver device ACL to deny non-admin access, or block the vulnerable driver via WDAC or ASR rules.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.