MITRE ATT&CK Technique
Description
Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process.(Citation: Hexacorn Listplanting) Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process. List-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application's list-view settings are stored within the process' memory in a <code>SysListView32</code> control. ListPlanting (a form of message-passing "shatter attack") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.(Citation: Modexp Windows Process Injection) Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the <code>SysListView32</code> child of the victim process window (via Windows API calls such as <code>FindWindow</code> and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055) methods. Some variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored <code>WriteProcessMemory</code> function. For example, an adversary can use the <code>PostMessage</code> and/or <code>SendMessage</code> API functions to send <code>LVM_SETITEMPOSITION</code> and <code>LVM_GETITEMPOSITION</code> messages, effectively copying a payload 2 bytes at a time to the allocated memory.(Citation: ESET InvisiMole June 2020) Finally, the payload is triggered by sending the <code>LVM_SORTITEMS</code> message to the <code>SysListView32</code> child of the process window, with the payload within the newly allocated buffer passed and executed as the <code>ListView_SortItems</code> callback.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-11-22T15:02:15.190Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse list-view controls to inject malicious '
'code into hijacked processes in order to evade process-based '
'defenses as well as possibly elevate privileges. ListPlanting '
'is a method of executing arbitrary code in the address space '
'of a separate live process.(Citation: Hexacorn Listplanting) '
'Code executed via ListPlanting may also evade detection from '
'security products since the execution is masked under a '
'legitimate process.\n'
'\n'
'List-view controls are user interface windows used to display '
'collections of items.(Citation: Microsoft List View Controls) '
"Information about an application's list-view settings are "
"stored within the process' memory in a "
'<code>SysListView32</code> control.\n'
'\n'
'ListPlanting (a form of message-passing "shatter attack") may '
'be performed by copying code into the virtual address space '
'of a process that uses a list-view control then using that '
'code as a custom callback for sorting the listed '
'items.(Citation: Modexp Windows Process Injection) '
'Adversaries must first copy code into the target process’ '
'memory space, which can be performed various ways including '
'by directly obtaining a handle to the '
'<code>SysListView32</code> child of the victim process window '
'(via Windows API calls such as <code>FindWindow</code> and/or '
'<code>EnumWindows</code>) or other [Process '
'Injection](https://attack.mitre.org/techniques/T1055) '
'methods.\n'
'\n'
'Some variations of ListPlanting may allocate memory in the '
'target process but then use window messages to copy the '
'payload, to avoid the use of the highly monitored '
'<code>WriteProcessMemory</code> function. For example, an '
'adversary can use the <code>PostMessage</code> and/or '
'<code>SendMessage</code> API functions to send '
'<code>LVM_SETITEMPOSITION</code> and '
'<code>LVM_GETITEMPOSITION</code> messages, effectively '
'copying a payload 2 bytes at a time to the allocated '
'memory.(Citation: ESET InvisiMole June 2020) \n'
'\n'
'Finally, the payload is triggered by sending the '
'<code>LVM_SORTITEMS</code> message to the '
'<code>SysListView32</code> child of the process window, with '
'the payload within the newly allocated buffer passed and '
'executed as the <code>ListView_SortItems</code> callback.',
'external_references': [{'external_id': 'T1055.015',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1055/015'},
{'description': 'Hexacorn. (2019, April 25). '
'Listplanting – yet another code '
'injection trick. Retrieved August '
'14, 2024.',
'source_name': 'Hexacorn Listplanting',
'url': 'https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/'},
{'description': 'Hromcova, Z. and Cherpanov, A. '
'(2020, June). INVISIMOLE: THE HIDDEN '
'PART OF THE STORY. Retrieved July '
'16, 2020.',
'source_name': 'ESET InvisiMole June 2020',
'url': 'https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf'},
{'description': 'Microsoft. (2021, May 25). About '
'List-View Controls. Retrieved '
'January 4, 2022.',
'source_name': 'Microsoft List View Controls',
'url': 'https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview'},
{'description': 'odzhan. (2019, April 25). Windows '
'Process Injection: WordWarping, '
'Hyphentension, AutoCourgette, '
'Streamception, Oleum, ListPlanting, '
'Treepoline. Retrieved November 15, '
'2021.',
'source_name': 'Modexp Windows Process Injection',
'url': 'https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/'}],
'id': 'attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:33.701Z',
'name': 'ListPlanting',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['ESET'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}