# WSL2 9P MitM PoC Patches Windows file reads in-flight at the kernel level — the file on disk stays unchanged, but any process reading it through WSL2 gets tampered content. ## Requirements - Windows 11 with WSL2 - Ubuntu (or any WSL2 distro) with `sudo` access - `build-essential` installed in WSL2 Install build tools if needed: ```bash sudo apt update && sudo apt install -y build-essential ``` ## Run Open a WSL2 terminal, navigate to this folder, and run: ```bash sudo bash run.sh ``` That's it. The script builds the kernel module, loads it, writes a test file to Windows, reads it back through WSL2, and confirms the patch worked. ## Expected output ``` [+] main.ko built [*] real content: WSL2_9P_MITM_TARGET ← what's actually on disk [*] reading same file through WSL2 drvfs (9P): PWNED by NJL ← what WSL2 returns [CONFIRMED] in-flight 9P read patched — host file unchanged, WSL read tampered ``` ## How it works WSL2 accesses `C:\` through a protocol called 9P over a virtual network socket. This kernel module hooks the 9P read function and replaces matching content before it reaches userspace — without touching the actual file.