{"id":6254,"date":"2019-04-25T00:14:00","date_gmt":"2019-04-25T00:14:00","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6254"},"modified":"2019-08-20T23:12:24","modified_gmt":"2019-08-20T23:12:24","slug":"listplanting-yet-another-code-injection-trick","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/04\/25\/listplanting-yet-another-code-injection-trick\/","title":{"rendered":"Listplanting &#8211; yet another code injection trick"},"content":{"rendered":"\n<p>Okay, this is the last one in this short series, just to add the list-view control.<\/p>\n\n\n\n<p>Same as tree-view, it accepts two interesting messages <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/Controls\/lvm-insertgroupsorted\">LVM_INSERTGROUPSORTED<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/Controls\/lvm-sortgroups\">LVM_SORTGROUPS<\/a> that can help us to set up a callback pointing to <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/api\/commctrl\/nc-commctrl-pfnlvgroupcompare\">LVGroupCompare<\/a> function.<\/p>\n\n\n\n<p>And same as tree-view, it&#8217;s fairly popular. Testing my quick&amp;dirty POC I crashed a number of programs including Total Commander, and Windows Explorer.<\/p>\n\n\n\n<p>Modexp shared a nice POC <a href=\"https:\/\/modexp.wordpress.com\/2019\/04\/25\/seven-window-injection-methods\/\">here<\/a>.  <br>Csaba shared a nice POC <a href=\"https:\/\/github.com\/theevilbit\/injection\">here<\/a>.  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Okay, this is the last one in this short series, just to add the list-view control. Same as tree-view, it accepts two interesting messages LVM_INSERTGROUPSORTED and LVM_SORTGROUPS that can help us to set up a callback pointing to LVGroupCompare function. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/04\/25\/listplanting-yet-another-code-injection-trick\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[57],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6254"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6254"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6254\/revisions"}],"predecessor-version":[{"id":6680,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6254\/revisions\/6680"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}