Jaa

Why can't I copy programs out of Windows?

  • Artikkeli

I've seen people internally and externally ask for help copying files out of \Windows on the device, usually EXEs and DLL files. I'm not sure what their end goal - sometimes it's to try those binaries on a different device but there are probably other reasons too. In general, it's pretty hard to do this and the obvious methods won't work.

There are two main sections of the internal ROM of a device, called FILES and MODULES. You can copy anything you want out of the FILES section. All of the data files like graphics and other multimedia go in the FILES section. Some program binaries will also end up in the FILES section, depending on where Microsoft and the OEM choose to put them. You can tell a file in the MODULES section because it will have the FILE_ATTRIBUTE_ROMMODULE attribute as well as FILE_ATTRIBUTE_INROM. Files in the FILES section will only have FILE_ATTRIBUTE_INROM. If you're looking at the files in a file explorer that shows attributes in hex, FILE_ATTRIBUTE_ROMMODULE|FILE_ATTRIBUTE_INROM shows up as 0x2040.

The programs in the MODULES section of ROM are specially processed before getting put into ROM. Most of the headers are removed and the addresses are fixed up so that the programs can run without having to be loaded into RAM first. This saves RAM and performance later on. What this means to you is that even if you could get the bytes out of ROM, you wouldn't be able to use them. The binary has been stripped down and customized for that particular device.

There are unsupported tools externally available that are able to copy the modules out of ROM and then try to reconstruct the original file. If you still need to extract those bytes, you can probably find one of those tools.

 

Scott

Comments

  • Anonymous
    December 30, 2007
    When you target multiple Windows Mobile versions from one binary, it is often the case that you statically link to a function or dll which doesn't exists on one version or flavour but works fine on others. Currently there is no usable tool to find these troubleshot points. On desktop Windows you would just use "depends" and identify these issues in minutes. On Mobile the only way currently is to get a third party implementation of "depends" which supports CE (Dependency Walker), but to be able to use that efficiently you do need to extract the DLLs from the Windows folder, which is not supported officially. This is a legitimate scenario, which I run into quite a few times already. When will we have an implementation of "depends", which runs on the device, I can feed it with an "EXE" or "DLL", and it gives me back the incorrect links? Or a legitimate way to extact the DLLs from the device.

  • Anonymous
    December 30, 2007
    I'm not sure I have a great answer for you. Dependency Walker is what we use internally, but like you mention, you can't use it on the device. I doubt it will ever be easier in the short term to extract binaries from the MODULES section. The information that you need to reconstruct that DLL has been discarded to save space and boost runtime performance. It's probably possible to write a version of depends that would work on a device, though. That is a little bit out of my area of expertise.

  • Anonymous
    January 07, 2008
    Hy Scott I have an old HTC P3600 with Windows Mobile 5 and I buy the new HTC TyTN II. My VERY BIG problem is that I use thet phone for work and in the new Windows Mobile 6 there isn't the Remote Desktop Connection Client!!!!!!! I didn't find programs for the remote desktop connection (there are some program but all of these need to install something on the server and I don't wanto to do it) so I would try to extract mstsc40.exe from P3600 and copy it on TyTN II: could you tell me a name of "unsupported tools externally available that are able to copy the modules out of ROM"? thank you Davide

  • Anonymous
    January 15, 2008
    Thanks for this post, one question less I have. Yet the others:

  1. Long time ago Mike wrote about significant difference between NAND and NOR storage that the latter can XIP. But AFAIK NOR is rare guest in modern PDAs. How can modules XIP then?
  2. Are these modules somehow connected with different WM features or they are just another type of file storage?
  3. How are modules physically stored in the firmware and what type of ROM area they correspond to: XIP, IMGFS, ..? Davide De Marchi, don't bother, better search for WM6 RDP cab. I doubt it's legal but when a $1000 device lacks basic features it's us who feel robbed.

  • Anonymous
    January 16, 2008
    Djet Thankyou for the signalling, I find and instll WM6 RDP cab and it work very well. Still cannot understand why Microsoft doesn't install it by default: it's only 700Kb and don't disturb anyone who don't want to use it....boh.... Thank again Davide De Marchi

  • Anonymous
    January 22, 2008
    I have an dell Axim 51V with Windows Mobile 5 and I will buy the new HTC . My VERY BIG problem is that When I use the Remote Desktop Connection (Terminal service Client) in Axim51V , I  see all desktop screen, but  when I use  the Terminal Service Client in HTC I see a small part of desktop screen I would try to extract mstsc40.exe from Dell Axim 51V and copy it on HTC: could you tell me a name of "unsupported tools externally available that are able to copy the modules out of ROM"? thank you Jorge Babo forn@kraftbaterias.com.br

  • Anonymous
    January 22, 2008
    I can't help you do that. It violates our licensing agreements.

  • Anonymous
    January 22, 2008
    When I use the Remote Desktop Connection (Terminal service Client) in Axim51V , I can  see all desktop screen, so Could you tell me wich Smarthphone it’s same  Axim 51V Terminal service Client? Please help me!!!!!!!!!!!

  • Anonymous
    February 03, 2008
    well i'd like to correct some of the info here

  1. the original purpose of modules was indeed running them directly from ROM but nowadays that doesn't really happen (NAND). kind of an outdated concept unless you care about the time it takes the loader to fixup the addresses for an ordinary dll.
  2. you can extract and fully reconstruct DLL modules from wm5 and wm6. the information has not been discarded (as the update loader needs it). you have always been able to fully reconstruct EXEs (information has never been discarded for them). you can also fully reconstruct DLLs from earlier devices than WM5 (and from plain CE5) but that is a bit harder, though if the device is ARM then it can be 99% automated in a tool.
  3. it applies both to XIP and IMGFS modules.
  4. as for djet's other questions, they are not connected with features. physical storing? this is a broad topic, what did you mean?
  5. executabilitycheck will work as a dependencywalker on ARM and MIPS devices.

  • Anonymous
    March 20, 2008
    When doing device driver development, I am only able to overwrite the dll file in Windows once. I am not able to overwrite the dll file the second time. Why is it so?

  • Anonymous
    April 09, 2008
    The comment has been removed

  • Anonymous
    May 06, 2008
    @ alex soh: rename the dll then copy your new version of it there then reboot. when it is in rom it lets you "overwrite", afterwards it will be in use so no overwrite @ guna: yeah, though if you had read my post a bit more carefully, you'd see it wasn't entirely trivial before WM5. :)

  • Anonymous
    May 06, 2008
    @ guna: I forgot to add, this was not for security reasons originally, I think

  • Anonymous
    May 06, 2008
    not to sound harsh, nor funny, but the most logical answer for this is that you actually probably load the DLL into memory for usage, and "running" code may not be overwritten.

  • Anonymous
    February 10, 2009
    The comment has been removed