A module is a file whose codes can be loaded into memory and run. In general, it is in binary format, such as EXE and DLL file. A process can consist of more than one module. If one file stores all codes of a process, the process only has one module. Nevertheless, this situation rarely occurs. As we know, even if writing a simple program, we usually need to call functions from other libraries. That is, the process invoked by this program includes codes from other library files besides the original file. Namely, it has two or more modules. Rigorously, rather than developers of spyware, detectors are more interested in how to list all modules for a specified process. When we suspect a process might be spyware, if we can list all modules of it, it is radically useful to get the conclusion.
Another similar topic is thread. We know that any process runs by thread in the Win32 environment. A process at least has a default thread. Because thread cab be created dynamically in codes, many processes run under multiple threads. If wanting to learn a running process in detail, we usually need information about all threads that belong to the process.
Undoubtedly, the information of thread is critical to analyze the architecture and even functionality of the corresponding process. Comparing with module, to analyze thread is as same as necessary for detectors to uncover the truth of spyware. On the other hand, developers of spyware also want to learn the detail information of the module and thread to prevent uncovering.
As similar as we have several methods to get information about the process, we have multiple ways to obtain data about module or thread. Considering that ToolHelp API can cover main operating systems of client-side, we will employ this API to query module and thread as we can use ToolHelp to enumerate all processes in memory. In the procedure, the most crucial step is to call CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0) to create a snapshot that stores all information about processes. Indeed, snapshots are at the core of the tool's help functions. A snapshot is a read-only copy of the current state of one or more of the following lists that reside in system memory: processes, threads, modules, and heaps. The snapshot taken by this function is examined by the other ToolHelp functions to provide their results. Access to the snapshot is read-only. The snapshot handle acts as an object handle and is subject to the same rules regarding which processes and threads it is valid.
As you guess, you can control the content of a snapshot by specifying various values to the first parameter of function CreateToolhelp32Snapshot, such as the following.
TH32CS_SNAPHEAPLIST: Includes all heaps of the process specified in the snapshot.
TH32CS_SNAPMODULE: Includes all modules of the process specified in the snapshot.
TH32CS_SNAPPROCESS: Includes all processes in the system in the snapshot.
TH32CS_SNAPTHREAD: Includes all threads in the system in the snapshot.
The TH32CS_SNAPHEAPLIST and TH32CS_SNAPMODULE values are process specific. Namely, you should specify a process ID in the second parameter when call this function. When these values are specified, the snapshot includes the heap or module list of the specified process. If you specify zero as the process identifier, it means to use the current process. However, the TH32CS_SNAPTHREAD value always creates a system-wide snapshot, even if you pass a process identifier.
Heap is out of our discussion. Besides, there are some other features or options of function CreateToolhelp32Snapshot that we do not talk. We use this function to create snapshots that we need. If you are interested in this function itself, you should view the relevant document.
Undoubtedly, thread and module have more value to track spyware than process. However, Microsoft does not offer a tool to view them for ordinary users as taskmgr.exe of process. So, you have to look for tools by yourself if you want to check thread or module.