Possible to import DLL from server? - Free Trading Signals - MQL4 and MetaTrader 4

Ex Ovo Omnia 2017.05.23 12:04 #1

Siwakon Poonsawat:

Example

#import "ExpertSample.dll"
int GetIntValue(int);
#import

but it can be like this?

#import http://www.mywebsite.com/ExpertSample.dll

Thank you

Regards.

Can you imagine, how dangerous this feature would be if Windows allowed it?

JC 2017.05.23 12:48 #2

Ex Ovo Omnia:

Can you imagine, how dangerous this feature would be if Windows allowed it?

There's not really much difference between that versus what Windows does "allow", which is downloading a file from a server and then linking to it dynamically.

For example, it's possible to do the following in MQL4, because MT4 doesn't verify the existence of test.dll until the call to TestFunction() is actually made:

#property strict 

#import "kernel32.dll"
   int CreateFileW(string, int, int, int, int, int, int);   
   int WriteFile(int, char & arr[], int, int&, int);
   int CloseHandle(int);
#import

#import "Test.dll"
   void TestFunction();
#import

void OnStart()
{
   // Download DLL file from server
   string headers;
   char post[], data[];
   int res = WebRequest("GET", "http://myserver/myfile.dll", NULL, NULL, 10000, post, 0, data, headers);

   // Write DLL file to MQL4\Libraries
   string strFile = StringConcatenate(TerminalInfoString(TERMINAL_DATA_PATH), "\\MQL4\\Libraries\\Test.dll");
   int f = CreateFileW(strFile, 1073741824, 0, 0, 2, 0, 0);
   int szWrite;
   WriteFile(f, data, ArraySize(data), szWrite, 0);
   CloseHandle(f);
   
   // Call newly-downloaded DLL
   TestFunction();
}

What's very interesting about this is that's possible to do the following...

#import "..\\Files\\test.dll"
   int TestFunction();
#import

(In other words, you can import a DLL which is in MQL4\Files rather than MQL4\Libraries)

... However, you can't use MQL4's FileWriteArray() etc to create the DLL file in MQL4\Files. You have to use the Win32 file functions. After experimentation, it turns out that MT4 contains some very careful checks which prevent you creating an executable file using the built-in functions such as FileWriteArray(), FileWriteString(). It won't allow you to create a file which starts with the 0x905A4D executable header.

carry dll inside .ex4 [WARNING CLOSED!] Any newbie Call a secondary encapsulated

Alain Verleyen 2017.05.23 13:18 #3

Allowing DLL is unsecure anyway. Most people probably don't understand this.

Ex Ovo Omnia 2017.05.23 13:34 #4

JC:

There's not really much difference between that versus what Windows does "allow", which is downloading a file from a server and then linking to it dynamically.

For example, it's possible to do the following in MQL4, because MT4 doesn't verify the existence of test.dll until the call to TestFunction() is actually made:

What's very interesting about this is that's possible to do the following...

(In other words, you can import a DLL which is in MQL4\Files rather than MQL4\Libraries)

... However, you can't use MQL4's FileWriteArray() etc to create the DLL file in MQL4\Files. You have to use the Win32 file functions. After experimentation, it turns out that MT4 contains some very careful checks which prevent you creating an executable file using the built-in functions such as FileWriteArray(), FileWriteString(). It won't allow you to create a file which starts with the 0x905A4D executable header.

There is a huge difference, if you load an executable from the internet, any hacker can tamper it.

Technically, there is no problem with downloading and writing any file to the local file system, as you have DLL enabled anyway. The major problem is you cannot (re)load a new DLL by the already running script. It was possible with MT4 509, but currently it must be loaded within the script start.

Add script to chart Any rookie question, so Is it safe to

JC 2017.05.23 14:03 #5

Ex Ovo Omnia:

There is a huge difference, if you load an executable from the internet, any hacker can tamper it.

I don't see the fundamental difference between #import "http://myserver/mydll.dll" and the code above. One way or another, the executable code passes over the internet; is, in theory, vulnerable to manipulation in transit; and is then executed on the local machine.

Ex Ovo Omnia:

Technically, there is no problem with downloading and writing any file to the local file system, as you have DLL enabled anyway. The major problem is you cannot (re)load a new DLL by the already running script. It was possible with MT4 509, but currently it must be loaded within the script start.

You do that by having two DLLs: a shell which wraps the actual functionality in a second DLL. The #import in MQL4 is of the shell. At any time, the shell can suspend incoming calls from MQL4; unload the second DLL; replace it on disk; reload it; and then execute any pending calls.

DLLs and passing control How to LOCK/Encrypt EA What's new in MetaTrader

JC 2017.05.23 14:07 #6

Alain Verleyen:
Allowing DLL is unsecure anyway. Most people probably don't understand this.

It depends on one's threshold for "insecure". Downloading an EA and turning on DLL imports is fundamentally similar to downloading and running any other software from the internet. You need to trust the software's author - or the activity-scanner of your anti-virus software.

You need to trust any EA author to some degree. You don't need DLL imports to write an EA which, on a pre-arranged date, suddenly starts placing huge trades until it blows up your account - either just in order to cause malicious damage, or because the author has some sort of financial relationship with a B book broker.

A virus in an Index on Meta Trader Bit Defender Anti-Virus Found

Farrukh Aleem 2017.05.23 14:38 #7

JC:

There's not really much difference between that versus what Windows does "allow", which is downloading a file from a server and then linking to it dynamically.

For example, it's possible to do the following in MQL4, because MT4 doesn't verify the existence of test.dll until the call to TestFunction() is actually made:

What's very interesting about this is that's possible to do the following...

(In other words, you can import a DLL which is in MQL4\Files rather than MQL4\Libraries)

... However, you can't use MQL4's FileWriteArray() etc to create the DLL file in MQL4\Files. You have to use the Win32 file functions. After experimentation, it turns out that MT4 contains some very careful checks which prevent you creating an executable file using the built-in functions such as FileWriteArray(), FileWriteString(). It won't allow you to create a file which starts with the 0x905A4D executable header.

Very informative post thanks.

JC 2017.05.23 14:42 #8

Farrukh Aleem:

Very informative post thanks.

Thanks, but I'm not sure you could actually reliably use this in the wild. A future version of MT4 might start checking for the existence of the DLL file when the EA was loaded, instead of waiting until the first call is made to the DLL.

EA download file http Allow DLL Imports - File Exists?

Farrukh Aleem 2017.05.23 14:46 #9

JC:
Thanks, but I'm not sure you could actually reliably use this in the wild. A future version of MT4 might start checking for the existence of the DLL file when the EA was loaded, instead of waiting until the first call is made to the DLL.

Ya in normal circumstance we dont need dll in files, however when needed there are still workarounds you just create a file with some other extension and then use .bat or .cmd or .vbs or any other script to rename and move it back to desired location.

and again dll and Can't append on CSV Price Alert EA

Ex Ovo Omnia 2017.05.23 15:57 #10

JC:

...

You do that by having two DLLs: a shell which wraps the actual functionality in a second DLL. The #import in MQL4 is of the shell. At any time, the shell can suspend incoming calls from MQL4; unload the second DLL; replace it on disk; reload it; and then execute any pending calls.

Then it is not relevant to discuss downloading the DLL from MQL, when you already have the custom shell DLL on its place.