216.73.217.64

T1055.015: ListPlanting

View on MITRE ATT&CK The MITRE Corporation · Published 22/11/2021 16:02 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID
T1055.015
Confidence
100/100
Revoked
No
Published
22/11/2021 16:02
Modified
27/03/2026 01:12
Author / Source
The MITRE Corporation

Platforms

windows

Description

Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process.(Citation: Hexacorn Listplanting) Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process. List-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application's list-view settings are stored within the process' memory in a `SysListView32` control. ListPlanting (a form of message-passing "shatter attack") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.(Citation: Modexp Windows Process Injection) Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the `SysListView32` child of the victim process window (via Windows API calls such as `FindWindow` and/or `EnumWindows`) or other [Process Injection](https://attack.mitre.org/techniques/T1055) methods. Some variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored `WriteProcessMemory` function. For example, an adversary can use the `PostMessage` and/or `SendMessage` API functions to send `LVM_SETITEMPOSITION` and `LVM_GETITEMPOSITION` messages, effectively copying a payload 2 bytes at a time to the allocated memory.(Citation: ESET InvisiMole June 2020) Finally, the payload is triggered by sending the `LVM_SORTITEMS` message to the `SysListView32` child of the process window, with the payload within the newly allocated buffer passed and executed as the `ListView_SortItems` callback.

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion
mitre-attack privilege-escalation

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references