main
WSL2 9P MitM PoC
Patches Windows file reads in-flight at the kernel level — the file on disk stays unchanged, but any process reading it through WSL2 gets tampered content.
Requirements
- Windows 11 with WSL2
- Ubuntu (or any WSL2 distro) with
sudoaccess build-essentialinstalled in WSL2
Install build tools if needed:
sudo apt update && sudo apt install -y build-essential
Run
Open a WSL2 terminal, navigate to this folder, and run:
sudo bash run.sh
That's it. The script builds the kernel module, loads it, writes a test file to Windows, reads it back through WSL2, and confirms the patch worked.
Expected output
[+] main.ko built
[*] real content:
WSL2_9P_MITM_TARGET ← what's actually on disk
[*] reading same file through WSL2 drvfs (9P):
PWNED by NJL ← what WSL2 returns
[CONFIRMED] in-flight 9P read patched — host file unchanged, WSL read tampered
How it works
WSL2 accesses C:\ through a protocol called 9P over a virtual network socket. This kernel module hooks the 9P read function and replaces matching content before it reaches userspace — without touching the actual file.
Description
Languages
C
51.6%
Shell
44.2%
Makefile
4.2%