Files
Do-Not-Use-WSL2/README.md
T
2026-06-26 22:48:23 +00:00

40 lines
1.2 KiB
Markdown

# WSL2 9P MitM PoC
Patches Windows file reads in-flight at the kernel level — the file on disk stays unchanged, but any process reading it through WSL2 gets tampered content.
## Requirements
- Windows 11 with WSL2
- Ubuntu (or any WSL2 distro) with `sudo` access
- `build-essential` installed in WSL2
Install build tools if needed:
```bash
sudo apt update && sudo apt install -y build-essential
```
## Run
Open a WSL2 terminal, navigate to this folder, and run:
```bash
sudo bash run.sh
```
That's it. The script builds the kernel module, loads it, writes a test file to Windows, reads it back through WSL2, and confirms the patch worked.
## Expected output
```
[+] main.ko built
[*] real content:
WSL2_9P_MITM_TARGET ← what's actually on disk
[*] reading same file through WSL2 drvfs (9P):
PWNED by NJL ← what WSL2 returns
[CONFIRMED] in-flight 9P read patched — host file unchanged, WSL read tampered
```
## How it works
WSL2 accesses `C:\` through a protocol called 9P over a virtual network socket. This kernel module hooks the 9P read function and replaces matching content before it reaches userspace — without touching the actual file.