2026-06-27 00:10:14 +00:00
2026-06-26 22:46:39 +00:00
2026-06-26 22:44:20 +00:00
2026-06-27 00:10:14 +00:00
2026-06-26 22:48:23 +00:00
2026-06-26 22:47:33 +00:00

WSL2 9P MitM PoC

Patches Windows file reads in-flight at the kernel level — the file on disk stays unchanged, but any process reading it through WSL2 gets tampered content.

Requirements

  • Windows 11 with WSL2
  • Ubuntu (or any WSL2 distro) with sudo access
  • build-essential installed in WSL2

Install build tools if needed:

sudo apt update && sudo apt install -y build-essential

Run

Open a WSL2 terminal, navigate to this folder, and run:

sudo bash run.sh

That's it. The script builds the kernel module, loads it, writes a test file to Windows, reads it back through WSL2, and confirms the patch worked.

Expected output

[+] main.ko built
[*] real content:
WSL2_9P_MITM_TARGET        ← what's actually on disk
[*] reading same file through WSL2 drvfs (9P):
PWNED by NJL               ← what WSL2 returns
[CONFIRMED] in-flight 9P read patched — host file unchanged, WSL read tampered

How it works

WSL2 accesses C:\ through a protocol called 9P over a virtual network socket. This kernel module hooks the 9P read function and replaces matching content before it reaches userspace — without touching the actual file.

S
Description
Well, don't use wsl2
Readme 36 KiB
Languages
C 51.6%
Shell 44.2%
Makefile 4.2%