Example
#import "ExpertSample.dll"
int GetIntValue(int);
#import
but it can be like this?
#import http://www.mywebsite.com/ExpertSample.dll
Thank you
Regards.
Can you imagine, how dangerous this feature would be if Windows allowed it?
Example
#import "ExpertSample.dll"
int GetIntValue(int);
#import
but it can be like this?
#import http://www.mywebsite.com/ExpertSample.dll
Thank you
Regards.
There's not really much difference between that versus what Windows does "allow", which is downloading a file from a server and then linking to it dynamically.
For example, it's possible to do the following in MQL4, because MT4 doesn't verify the existence of test.dll until the call to TestFunction() is actually made:
#property strict #import "kernel32.dll" int CreateFileW(string, int, int, int, int, int, int); int WriteFile(int, char & arr[], int, int&, int); int CloseHandle(int); #import #import "Test.dll" void TestFunction(); #import void OnStart() { // Download DLL file from server string headers; char post[], data[]; int res = WebRequest("GET", "http://myserver/myfile.dll", NULL, NULL, 10000, post, 0, data, headers); // Write DLL file to MQL4\Libraries string strFile = StringConcatenate(TerminalInfoString(TERMINAL_DATA_PATH), "\\MQL4\\Libraries\\Test.dll"); int f = CreateFileW(strFile, 1073741824, 0, 0, 2, 0, 0); int szWrite; WriteFile(f, data, ArraySize(data), szWrite, 0); CloseHandle(f); // Call newly-downloaded DLL TestFunction(); }
What's very interesting about this is that's possible to do the following...
#import "..\\Files\\test.dll" int TestFunction(); #import
(In other words, you can import a DLL which is in MQL4\Files rather than MQL4\Libraries)
... However, you can't use MQL4's FileWriteArray() etc to create the DLL file in MQL4\Files. You have to use the Win32 file functions. After experimentation, it turns out that MT4 contains some very careful checks which prevent you creating an executable file using the built-in functions such as FileWriteArray(), FileWriteString(). It won't allow you to create a file which starts with the 0x905A4D executable header.
There's not really much difference between that versus what Windows does "allow", which is downloading a file from a server and then linking to it dynamically.
For example, it's possible to do the following in MQL4, because MT4 doesn't verify the existence of test.dll until the call to TestFunction() is actually made:
What's very interesting about this is that's possible to do the following...
(In other words, you can import a DLL which is in MQL4\Files rather than MQL4\Libraries)
... However, you can't use MQL4's FileWriteArray() etc to create the DLL file in MQL4\Files. You have to use the Win32 file functions. After experimentation, it turns out that MT4 contains some very careful checks which prevent you creating an executable file using the built-in functions such as FileWriteArray(), FileWriteString(). It won't allow you to create a file which starts with the 0x905A4D executable header.
There is a huge difference, if you load an executable from the internet, any hacker can tamper it.
Technically, there is no problem with downloading and writing any file to the local file system, as you have DLL enabled anyway. The major problem is you cannot (re)load a new DLL by the already running script. It was possible with MT4 509, but currently it must be loaded within the script start.
There is a huge difference, if you load an executable from the internet, any hacker can tamper it.
I don't see the fundamental difference between #import "http://myserver/mydll.dll" and the code above. One way or another, the executable code passes over the internet; is, in theory, vulnerable to manipulation in transit; and is then executed on the local machine.
Technically, there is no problem with downloading and writing any file to the local file system, as you have DLL enabled anyway. The major problem is you cannot (re)load a new DLL by the already running script. It was possible with MT4 509, but currently it must be loaded within the script start.
It depends on one's threshold for "insecure". Downloading an EA and turning on DLL imports is fundamentally similar to downloading and running any other software from the internet. You need to trust the software's author - or the activity-scanner of your anti-virus software.
You need to trust any EA author to some degree. You don't need DLL imports to write an EA which, on a pre-arranged date, suddenly starts placing huge trades until it blows up your account - either just in order to cause malicious damage, or because the author has some sort of financial relationship with a B book broker.
There's not really much difference between that versus what Windows does "allow", which is downloading a file from a server and then linking to it dynamically.
For example, it's possible to do the following in MQL4, because MT4 doesn't verify the existence of test.dll until the call to TestFunction() is actually made:
What's very interesting about this is that's possible to do the following...
(In other words, you can import a DLL which is in MQL4\Files rather than MQL4\Libraries)
... However, you can't use MQL4's FileWriteArray() etc to create the DLL file in MQL4\Files. You have to use the Win32 file functions. After experimentation, it turns out that MT4 contains some very careful checks which prevent you creating an executable file using the built-in functions such as FileWriteArray(), FileWriteString(). It won't allow you to create a file which starts with the 0x905A4D executable header.
...
You do that by having two DLLs: a shell which wraps the actual functionality in a second DLL. The #import in MQL4 is of the shell. At any time, the shell can suspend incoming calls from MQL4; unload the second DLL; replace it on disk; reload it; and then execute any pending calls.
Example
#import "ExpertSample.dll"
int GetIntValue(int);
#import
but it can be like this?
#import http://www.mywebsite.com/ExpertSample.dll
Thank you
Regards.