From 7f3f6ee5585f71efac2658c355d0d8fc52dcce26 Mon Sep 17 00:00:00 2001
From: xupengying <xpy66swsry@gmail.com>
Date: Thu, 31 Oct 2024 13:21:58 +0800
Subject: [PATCH] feat: major changes

---
 README.md                                     |   6 +-
 README.zh-CN.md                               |   6 +-
 app/build.gradle                              |   2 +-
 app/src/main/cpp/CMakeLists.txt               |   2 +-
 app/src/main/cpp/hookee/arch/arm/t16.S        |  10 +
 app/src/main/cpp/hookee/hookee.h              |   1 +
 app/src/main/cpp/unittest/unittest.c          |  66 ++
 app/src/main/cpp/unittest/unittest_jni.c      |  28 +-
 .../shadowhook/sample/MainActivity.java       |  13 +-
 .../shadowhook/sample/NativeHandler.java      |   4 +-
 app/src/main/res/layout/activity_main.xml     |   6 +-
 build.gradle                                  |  12 +-
 doc/manual.md                                 |  60 ++
 doc/manual.zh-CN.md                           |  56 ++
 gradle/wrapper/gradle-wrapper.properties      |   2 +-
 shadowhook/src/main/cpp/CMakeLists.txt        |  10 +-
 shadowhook/src/main/cpp/arch/arm/sh_inst.c    |  12 +
 shadowhook/src/main/cpp/arch/arm/sh_inst.h    |   2 +
 shadowhook/src/main/cpp/arch/arm/sh_t16.c     |   4 +-
 shadowhook/src/main/cpp/arch/arm64/sh_inst.c  |  10 +
 shadowhook/src/main/cpp/arch/arm64/sh_inst.h  |   2 +
 shadowhook/src/main/cpp/common/bytesig.c      |  57 +-
 shadowhook/src/main/cpp/common/bytesig.h      |   5 +-
 shadowhook/src/main/cpp/common/sh_config.h    |   2 +-
 shadowhook/src/main/cpp/common/sh_errno.c     |   6 +-
 shadowhook/src/main/cpp/common/sh_sig.h       |   3 +-
 shadowhook/src/main/cpp/common/sh_trampo.c    |  82 +-
 shadowhook/src/main/cpp/common/sh_trampo.h    |   8 +-
 shadowhook/src/main/cpp/common/sh_util.c      |  26 +-
 shadowhook/src/main/cpp/common/sh_util.h      |  23 +-
 shadowhook/src/main/cpp/include/shadowhook.h  |  14 +-
 shadowhook/src/main/cpp/nothing/sh_nothing.c  |   4 +
 shadowhook/src/main/cpp/sh_exit.c             |  47 +-
 shadowhook/src/main/cpp/sh_exit.h             |   1 +
 shadowhook/src/main/cpp/sh_hub.c              |  73 +-
 shadowhook/src/main/cpp/sh_hub.h              |   6 +-
 shadowhook/src/main/cpp/sh_linker.c           | 762 ++++++++++++++----
 shadowhook/src/main/cpp/sh_linker.h           |  18 +-
 shadowhook/src/main/cpp/sh_safe.c             |   8 +-
 shadowhook/src/main/cpp/sh_safe.h             |   1 +
 shadowhook/src/main/cpp/sh_switch.c           |  40 +-
 shadowhook/src/main/cpp/sh_switch.h           |   2 +
 shadowhook/src/main/cpp/sh_task.c             | 162 ++--
 shadowhook/src/main/cpp/sh_task.h             |   2 +
 shadowhook/src/main/cpp/shadowhook.c          |  50 +-
 shadowhook/src/main/cpp/shadowhook.map.txt    |   5 +
 systest/build.gradle                          |   2 +-
 systest/src/main/cpp/CMakeLists.txt           |   2 +-
 systest/src/main/cpp/systest.c                |  62 +-
 .../bytedance/shadowhook/systest/SysTest.java |   2 +-
 50 files changed, 1320 insertions(+), 469 deletions(-)
 create mode 100644 shadowhook/src/main/cpp/nothing/sh_nothing.c

diff --git a/README.md b/README.md
index 2c13fb1..df3be7f 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # ShadowHook
 
 ![](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat)
-![](https://img.shields.io/badge/release-1.0.10-red.svg?style=flat)
+![](https://img.shields.io/badge/release-1.1.1-red.svg?style=flat)
 ![](https://img.shields.io/badge/Android-4.1%20--%2015-blue.svg?style=flat)
 ![](https://img.shields.io/badge/arch-armeabi--v7a%20%7C%20arm64--v8a-blue.svg?style=flat)
 
@@ -49,7 +49,7 @@ android {
 }
 
 dependencies {
-    implementation 'com.bytedance.android:shadowhook:1.0.10'
+    implementation 'com.bytedance.android:shadowhook:1.1.1'
 }
 ```
 
@@ -102,6 +102,7 @@ If you are using ShadowHook in an SDK project, you may need to avoid packaging l
 android {
     packagingOptions {
         exclude '**/libshadowhook.so'
+        exclude '**/libshadowhook_nothing.so'
     }
 }
 ```
@@ -112,6 +113,7 @@ On the other hand, if you are using ShadowHook in an APP project, you may need t
 android {
     packagingOptions {
         pickFirst '**/libshadowhook.so'
+        pickFirst '**/libshadowhook_nothing.so'
     }
 }
 ```
diff --git a/README.zh-CN.md b/README.zh-CN.md
index 7d6c887..3cdbeca 100644
--- a/README.zh-CN.md
+++ b/README.zh-CN.md
@@ -1,7 +1,7 @@
 # ShadowHook
 
 ![](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat)
-![](https://img.shields.io/badge/release-1.0.10-red.svg?style=flat)
+![](https://img.shields.io/badge/release-1.1.1-red.svg?style=flat)
 ![](https://img.shields.io/badge/Android-4.1%20--%2015-blue.svg?style=flat)
 ![](https://img.shields.io/badge/arch-armeabi--v7a%20%7C%20arm64--v8a-blue.svg?style=flat)
 
@@ -49,7 +49,7 @@ android {
 }
 
 dependencies {
-    implementation 'com.bytedance.android:shadowhook:1.0.10'
+    implementation 'com.bytedance.android:shadowhook:1.1.1'
 }
 ```
 
@@ -102,6 +102,7 @@ android {
 android {
     packagingOptions {
         exclude '**/libshadowhook.so'
+        exclude '**/libshadowhook_nothing.so'
     }
 }
 ```
@@ -112,6 +113,7 @@ android {
 android {
     packagingOptions {
         pickFirst '**/libshadowhook.so'
+        pickFirst '**/libshadowhook_nothing.so'
     }
 }
 ```
diff --git a/app/build.gradle b/app/build.gradle
index 512d7ac..70becbc 100644
--- a/app/build.gradle
+++ b/app/build.gradle
@@ -45,7 +45,7 @@ android {
     }
     packagingOptions {
         jniLibs {
-            pickFirsts += ['**/libshadowhook.so']
+            pickFirsts += ['**/libshadowhook.so', '**/libshadowhook_nothing.so']
         }
         if (rootProject.ext.useASAN) {
             doNotStrip "**/*.so"
diff --git a/app/src/main/cpp/CMakeLists.txt b/app/src/main/cpp/CMakeLists.txt
index ccd6d9b..3df9deb 100644
--- a/app/src/main/cpp/CMakeLists.txt
+++ b/app/src/main/cpp/CMakeLists.txt
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.22.1)
+cmake_minimum_required(VERSION 3.30.5)
 project(app)
 enable_language(ASM)
 
diff --git a/app/src/main/cpp/hookee/arch/arm/t16.S b/app/src/main/cpp/hookee/arch/arm/t16.S
index ff104da..c99d464 100644
--- a/app/src/main/cpp/hookee/arch/arm/t16.S
+++ b/app/src/main/cpp/hookee/arch/arm/t16.S
@@ -209,6 +209,16 @@ ENTRY_GLOBAL_THUMB(test_t16_it_t1_case2)
     bx       lr
 END(test_t16_it_t1_case2)
 
+ENTRY_GLOBAL_THUMB(test_t16_it_t1_case3)
+  cmp      r0, r0         // Compare r0 with 0
+  itete    ne             // If-Then-Else-Then-Else block for Not Equal
+  addne    r1, r1, #1     // If r0 != 0, add 1 to r1
+  addeq    r2, r2, #2     // If r0 == 0, add 2 to r2
+  subne    r3, r3, #3     // If r0 != 0, subtract 3 from r3
+  moveq    r4, #4         // If r0 == 0, move 4 to r4
+  b        test_t16_helper_global
+END(test_t16_it_t1_case3)
+
 
 ENTRY_HIDDEN_THUMB(test_t16_helper_hidden_tail)
     add      r0, r0, r1
diff --git a/app/src/main/cpp/hookee/hookee.h b/app/src/main/cpp/hookee/hookee.h
index c336a7c..8e976a5 100644
--- a/app/src/main/cpp/hookee/hookee.h
+++ b/app/src/main/cpp/hookee/hookee.h
@@ -41,6 +41,7 @@ int test_t16_cbnz_t1(int a, int b);
 int test_t16_cbnz_t1_fixaddr(int a, int b);
 int test_t16_it_t1_case1(int a, int b);
 int test_t16_it_t1_case2(int a, int b);
+int test_t16_it_t1_case3(int a, int b);
 
 int test_t32_helper_global(int a, int b);
 int test_t32_b_t3(int a, int b);
diff --git a/app/src/main/cpp/unittest/unittest.c b/app/src/main/cpp/unittest/unittest.c
index 0b721cb..1b2954a 100644
--- a/app/src/main/cpp/unittest/unittest.c
+++ b/app/src/main/cpp/unittest/unittest.c
@@ -223,6 +223,55 @@ static int hook_dlopen(int api_level) {
   return result;
 }
 
+#define SH_LINKER_SYM_CALL_CONSTRUCTORS_L "__dl__ZN6soinfo16CallConstructorsEv"
+#define SH_LINKER_SYM_CALL_DESTRUCTORS_L  "__dl__ZN6soinfo15CallDestructorsEv"
+#define SH_LINKER_SYM_CALL_CONSTRUCTORS_M "__dl__ZN6soinfo17call_constructorsEv"
+#define SH_LINKER_SYM_CALL_DESTRUCTORS_M  "__dl__ZN6soinfo16call_destructorsEv"
+
+typedef void (*linker_proxy_soinfo_call_ctors_t)(void *);
+static linker_proxy_soinfo_call_ctors_t linker_orig_soinfo_call_ctors;
+static void linker_proxy_soinfo_call_ctors(void *soinfo) {
+  if (SHADOWHOOK_IS_SHARED_MODE)
+    SHADOWHOOK_CALL_PREV(linker_proxy_soinfo_call_ctors, linker_proxy_soinfo_call_ctors_t, soinfo);
+  else
+    linker_orig_soinfo_call_ctors(soinfo);
+
+  if (SHADOWHOOK_IS_SHARED_MODE) SHADOWHOOK_POP_STACK();
+}
+
+typedef void (*linker_proxy_soinfo_call_dtors_t)(void *);
+static linker_proxy_soinfo_call_dtors_t linker_orig_soinfo_call_dtors;
+static void linker_proxy_soinfo_call_dtors(void *soinfo) {
+  if (SHADOWHOOK_IS_SHARED_MODE)
+    SHADOWHOOK_CALL_PREV(linker_proxy_soinfo_call_dtors, linker_proxy_soinfo_call_dtors_t, soinfo);
+  else
+    linker_orig_soinfo_call_dtors(soinfo);
+
+  if (SHADOWHOOK_IS_SHARED_MODE) SHADOWHOOK_POP_STACK();
+}
+
+static int hook_call_ctors_dtors(int api_level) {
+  static int result = -1;
+  static bool hooked = false;
+
+  if (hooked) return result;
+  hooked = true;
+
+  void *stub_ctors = shadowhook_hook_sym_name(
+      LINKER_BASENAME,
+      api_level >= __ANDROID_API_M__ ? SH_LINKER_SYM_CALL_CONSTRUCTORS_M : SH_LINKER_SYM_CALL_CONSTRUCTORS_L,
+      (void *)linker_proxy_soinfo_call_ctors, (void **)&linker_orig_soinfo_call_ctors);
+  int errno_ctors = shadowhook_get_errno();
+  void *stub_dtors = shadowhook_hook_sym_name(
+      LINKER_BASENAME,
+      api_level >= __ANDROID_API_M__ ? SH_LINKER_SYM_CALL_DESTRUCTORS_M : SH_LINKER_SYM_CALL_DESTRUCTORS_L,
+      (void *)linker_proxy_soinfo_call_dtors, (void **)&linker_orig_soinfo_call_dtors);
+  int errno_dtors = shadowhook_get_errno();
+
+  result = (NULL != stub_ctors && NULL != stub_dtors && 0 == errno_ctors && 0 == errno_dtors) ? 0 : -1;
+  return result;
+}
+
 // end of - hooking dlopen() or do_dlopen()
 ///////////////////////////////////////////////////////////////////////////
 
@@ -270,6 +319,7 @@ PROXY(t16_cbnz_t1)
 PROXY(t16_cbnz_t1_fixaddr)
 PROXY(t16_it_t1_case1)
 PROXY(t16_it_t1_case2)
+PROXY(t16_it_t1_case3)
 
 PROXY(t32_b_t3)
 PROXY(t32_b_t4)
@@ -398,6 +448,13 @@ static int unittest_hook(int api_level) {
     return -1;
   }
 
+  if (api_level >= __ANDROID_API_L__) {
+    if (0 != hook_call_ctors_dtors(api_level)) {
+      LOG("hook soinfo::call_constructors() and get soinfo::call_destructors() FAILED");
+      return -1;
+    }
+  }
+
 #if defined(__arm__)
 
   HOOK(t16_b_t1);
@@ -454,6 +511,7 @@ static int unittest_hook(int api_level) {
   HOOK(a32_ldr_lit_a1_case2);
   HOOK(a32_ldr_reg_a1_case1);
   HOOK(a32_ldr_reg_a1_case2);
+  HOOK(t16_it_t1_case3);
 
 #elif defined(__aarch64__)
 
@@ -538,6 +596,7 @@ int unittest_unhook(void) {
   UNHOOK(t16_cbnz_t1_fixaddr);
   UNHOOK(t16_it_t1_case1);
   UNHOOK(t16_it_t1_case2);
+  UNHOOK(t16_it_t1_case3);
 
   UNHOOK(t32_b_t3);
   UNHOOK(t32_b_t4);
@@ -644,6 +703,7 @@ int unittest_run(bool hookee2_loaded) {
   RUN(t16_cbnz_t1_fixaddr);
   RUN(t16_it_t1_case1);
   RUN(t16_it_t1_case2);
+  RUN(t16_it_t1_case3);
 
   LOG(DELIMITER, "TEST INST T32");
   RUN(t32_b_t3);
@@ -731,6 +791,12 @@ int unittest_run(bool hookee2_loaded) {
     RUN_WITH_DLSYM(libhookee2.so, hook_before_dlopen_2);
   }
 
+  LOG(DELIMITER, "TEST - dlopen");
+  void *handle = dlopen("libc.so", RTLD_NOW);
+  dlclose(handle);
+  handle = dlopen("libshadowhook_nothing.so", RTLD_NOW);
+  dlclose(handle);
+
   return 0;
 }
 
diff --git a/app/src/main/cpp/unittest/unittest_jni.c b/app/src/main/cpp/unittest/unittest_jni.c
index a99d552..d2ebd45 100644
--- a/app/src/main/cpp/unittest/unittest_jni.c
+++ b/app/src/main/cpp/unittest/unittest_jni.c
@@ -21,6 +21,7 @@
 
 // Created by Kelun Cai (caikelun@bytedance.com) on 2021-04-11.
 
+#include <dlfcn.h>
 #include <fcntl.h>
 #include <jni.h>
 #include <stdarg.h>
@@ -34,6 +35,8 @@
 #define HACKER_JNI_VERSION    JNI_VERSION_1_6
 #define HACKER_JNI_CLASS_NAME "com/bytedance/shadowhook/sample/NativeHandler"
 
+static void *hookee2_handle = NULL;
+
 static int unittest_jni_hook_sym_addr(JNIEnv *env, jobject thiz, jint api_level) {
   (void)env;
   (void)thiz;
@@ -55,11 +58,28 @@ static int unittest_jni_unhook(JNIEnv *env, jobject thiz) {
   return unittest_unhook();
 }
 
-static int unittest_jni_run(JNIEnv *env, jobject thiz, jboolean hookee2_loaded) {
+static int unittest_jni_run(JNIEnv *env, jobject thiz) {
+  (void)env;
+  (void)thiz;
+
+  return unittest_run(NULL != hookee2_handle);
+}
+
+static void unittest_jni_dlopen(JNIEnv *env, jobject thiz) {
   (void)env;
   (void)thiz;
 
-  return unittest_run(hookee2_loaded);
+  if (NULL == hookee2_handle) hookee2_handle = dlopen("libhookee2.so", RTLD_NOW);
+}
+
+static void unittest_jni_dlclose(JNIEnv *env, jobject thiz) {
+  (void)env;
+  (void)thiz;
+
+  if (NULL != hookee2_handle) {
+    dlclose(hookee2_handle);
+    hookee2_handle = NULL;
+  }
 }
 
 static void unittest_jni_dump_records(JNIEnv *env, jobject thiz, jstring pathname) {
@@ -95,7 +115,9 @@ JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, void *reserved) {
   JNINativeMethod m[] = {{"nativeHookSymAddr", "(I)I", (void *)unittest_jni_hook_sym_addr},
                          {"nativeHookSymName", "(I)I", (void *)unittest_jni_hook_sym_name},
                          {"nativeUnhook", "()I", (void *)unittest_jni_unhook},
-                         {"nativeRun", "(Z)I", (void *)unittest_jni_run},
+                         {"nativeDlopen", "()V", (void *)unittest_jni_dlopen},
+                         {"nativeDlclose", "()V", (void *)unittest_jni_dlclose},
+                         {"nativeRun", "()I", (void *)unittest_jni_run},
                          {"nativeDumpRecords", "(Ljava/lang/String;)V", (void *)unittest_jni_dump_records}};
   if (0 != (*env)->RegisterNatives(env, cls, m, sizeof(m) / sizeof(m[0]))) return JNI_ERR;
 
diff --git a/app/src/main/java/com/bytedance/shadowhook/sample/MainActivity.java b/app/src/main/java/com/bytedance/shadowhook/sample/MainActivity.java
index e4840d4..28326c0 100644
--- a/app/src/main/java/com/bytedance/shadowhook/sample/MainActivity.java
+++ b/app/src/main/java/com/bytedance/shadowhook/sample/MainActivity.java
@@ -68,16 +68,19 @@ public void onClick(View v) {
 
         findViewById(R.id.unitTestLoad).setOnClickListener(new View.OnClickListener() {
             public void onClick(View v) {
-                if(!hookee2Loaded) {
-                    hookee2Loaded = true;
-                    System.loadLibrary("hookee2");
-                }
+                NativeHandler.nativeDlopen();
+            }
+        });
+
+        findViewById(R.id.unitTestUnload).setOnClickListener(new View.OnClickListener() {
+            public void onClick(View v) {
+                NativeHandler.nativeDlclose();
             }
         });
 
         findViewById(R.id.unitTestRun).setOnClickListener(new View.OnClickListener() {
             public void onClick(View v) {
-                NativeHandler.nativeRun(hookee2Loaded);
+                NativeHandler.nativeRun();
             }
         });
 
diff --git a/app/src/main/java/com/bytedance/shadowhook/sample/NativeHandler.java b/app/src/main/java/com/bytedance/shadowhook/sample/NativeHandler.java
index 578b621..9958e72 100644
--- a/app/src/main/java/com/bytedance/shadowhook/sample/NativeHandler.java
+++ b/app/src/main/java/com/bytedance/shadowhook/sample/NativeHandler.java
@@ -27,6 +27,8 @@ public class NativeHandler {
     public static native int nativeHookSymAddr(int apiLevel);
     public static native int nativeHookSymName(int apiLevel);
     public static native int nativeUnhook();
-    public static native int nativeRun(boolean hookee2Loaded);
+    public static native void nativeDlopen();
+    public static native void nativeDlclose();
+    public static native int nativeRun();
     public static native void nativeDumpRecords(String pathname);
 }
diff --git a/app/src/main/res/layout/activity_main.xml b/app/src/main/res/layout/activity_main.xml
index 8df8bd8..b9e27bb 100644
--- a/app/src/main/res/layout/activity_main.xml
+++ b/app/src/main/res/layout/activity_main.xml
@@ -34,7 +34,11 @@
 
         <Button style="@style/Theme.Button.Red"
             android:id="@+id/unitTestLoad"
-            android:text="load libhookee2.so (automatically hook)" />
+            android:text="dlopen libhookee2.so" />
+
+        <Button style="@style/Theme.Button.Red"
+            android:id="@+id/unitTestUnload"
+            android:text="dlclose libhookee2.so" />
 
         <Button style="@style/Theme.Button.Red"
             android:id="@+id/unitTestRun"
diff --git a/build.gradle b/build.gradle
index 83665ce..b3b54be 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,10 +1,10 @@
 plugins {
-    id 'com.android.application' version '8.5.2' apply false
-    id 'com.android.library' version '8.5.2' apply false
+    id 'com.android.application' version '8.7.1' apply false
+    id 'com.android.library' version '8.7.1' apply false
 }
 
 tasks.register('clean', Delete) {
-    delete rootProject.getLayout.getBuildDirectory
+    delete getBuildDir()
 }
 
 ext {
@@ -14,15 +14,15 @@ ext {
     buildToolsVersion = '35.0.0'
     javaVersion = JavaVersion.VERSION_1_7
     ndkVersion = "23.2.8568313"
-    cmakeVersion = "3.22.1"
+    cmakeVersion = "3.30.5"
     abiFilters = "armeabi-v7a,arm64-v8a"
     useASAN = false
     dependencyOnLocalLibrary = true
-    shadowhookVersion = "1.0.10"
+    shadowhookVersion = "1.1.1"
 
     POM_GROUP_ID = "com.bytedance.android"
     POM_ARTIFACT_ID = "shadowhook"
-    POM_VERSION_NAME = "1.0.10"
+    POM_VERSION_NAME = "1.1.1"
 
     POM_NAME = "shadowhook"
     POM_DESCRIPTION = "ShadowHook is an Android inline hook library which supports thumb, arm32 and arm64."
diff --git a/doc/manual.md b/doc/manual.md
index f5986c5..1df77a2 100644
--- a/doc/manual.md
+++ b/doc/manual.md
@@ -103,6 +103,7 @@ If you are using ShadowHook in an SDK project, you may need to avoid packaging l
 android {
     packagingOptions {
         exclude '**/libshadowhook.so'
+        exclude '**/libshadowhook_nothing.so'
     }
 }
 ```
@@ -113,6 +114,7 @@ On the other hand, if you are using ShadowHook in an APP project, you may need t
 android {
     packagingOptions {
         pickFirst '**/libshadowhook.so'
+        pickFirst '**/libshadowhook_nothing.so'
     }
 }
 ```
@@ -734,6 +736,64 @@ void do_unhook(void)
 }
 ```
 
+# Other Function
+
+```C
+#include "shadowhook.h"
+
+// register and unregister callbacks for executing dynamic library's .init .init_array / .fini .fini_array
+typedef void (*shadowhook_dl_info_t)(struct dl_phdr_info *info, size_t size, void *data);
+int shadowhook_register_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int shadowhook_unregister_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int shadowhook_register_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int shadowhook_unregister_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+```
+
+Register/Unregister `soinfo::call_constructors` and `soinfo::call_destructors` callback functions
+
+### Parameter
+
+* `pre` (can pass `NULL` if not needed): the proxy function before calling `call_constructors/call_destructors`.
+* `post` (can pass `NULL` if not needed): the proxy function after calling `call_constructors/call_destructors`.
+* `data` (can pass `NULL` if not needed): the data passed in the `pre`/`post` proxy function.
+
+Note: **`pre`/`post` proxy functions cannot be empty at the same time**.
+
+### Return Value
+
+* `0`: Succeeded.
+* `-1`: Failed. You can call `shadowhook_get_errno` to get the errno, and you can continue to call `shadowhook_to_errmsg` to get the error message.
+
+### Example
+
+```C
+#include "shadowhook.h"
+
+static void dl_init_pre(struct dl_phdr_info *info, size_t size, void *data) {
+  (void)size, (void)data;
+  __android_log_print(ANDROID_LOG_WARN,  "test", "dl_init, load_bias %" PRIxPTR ", %s", (uintptr_t)info->dlpi_addr, info->dlpi_name);
+}
+
+static void dl_fini_post(struct dl_phdr_info *info, size_t size, void *data) {
+  (void)size, (void)data;
+  __android_log_print(ANDROID_LOG_WARN,  "test", "dl_fini, load_bias %" PRIxPTR ", %s", (uintptr_t)info->dlpi_addr, info->dlpi_name);
+}
+
+void register_callback(void) {
+    if (0 != shadowhook_register_dl_init_callback(dl_init_pre, NULL, NULL)) {
+        int error_num = shadowhook_get_errno();
+        const char *error_msg = shadowhook_to_errmsg(error_num);
+        __android_log_print(ANDROID_LOG_WARN,  "test", "dl_init failed: %d - %s", error_num, error_msg);
+    }
+
+    if (0 != shadowhook_register_dl_fini_callback(NULL, dl_fini_post, NULL)) {
+        int error_num = shadowhook_get_errno();
+        const char *error_msg = shadowhook_to_errmsg(error_num);
+        __android_log_print(ANDROID_LOG_WARN,  "test", "dl_fini failed: %d - %s", error_num, error_msg);
+    }
+}
+```
+
 
 # Error Number
 
diff --git a/doc/manual.zh-CN.md b/doc/manual.zh-CN.md
index 11ca252..2d9aafb 100644
--- a/doc/manual.zh-CN.md
+++ b/doc/manual.zh-CN.md
@@ -103,6 +103,7 @@ android {
 android {
     packagingOptions {
         exclude '**/libshadowhook.so'
+        exclude '**/libshadowhook_nothing.so'
     }
 }
 ```
@@ -113,6 +114,7 @@ android {
 android {
     packagingOptions {
         pickFirst '**/libshadowhook.so'
+        pickFirst '**/libshadowhook_nothing.so'
     }
 }
 ```
@@ -728,7 +730,61 @@ void do_unhook(void)
     stub = NULL;
 }
 ```
+# 其他函数
+```C
+#include "shadowhook.h"
+
+// register and unregister callbacks for executing dynamic library's .init .init_array / .fini .fini_array
+typedef void (*shadowhook_dl_info_t)(struct dl_phdr_info *info, size_t size, void *data);
+int shadowhook_register_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int shadowhook_unregister_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int shadowhook_register_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int shadowhook_unregister_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+```
+注册 / 反注册 `soinfo::call_constructors` 和`soinfo::call_destructors`回调函数
+
+### 参数
+
+* `pre`（不需要的话可传 `NULL`）：调用`call_constructors/call_destructors `前的代理函数。
+* `post`（不需要的话可传 `NULL`）：调用`call_constructors/call_destructors `后的代理函数。
+* `data`（不需要的话可传 `NULL`）：`pre`/`post`代理函数中传递的数据。
+
+注意：**`pre`/`post`代理函数不可同时为空**。
+
+### 返回值
+
+* `0`：成功。
+* `-1`：失败。可调用 `shadowhook_get_errno` 获取 errno，可继续调用 `shadowhook_to_errmsg` 获取 error message。
+
+### 举例
+
+```C
+#include "shadowhook.h"
 
+static void dl_init_pre(struct dl_phdr_info *info, size_t size, void *data) {
+  (void)size, (void)data;
+  __android_log_print(ANDROID_LOG_WARN,  "test", "dl_init, load_bias %" PRIxPTR ", %s", (uintptr_t)info->dlpi_addr, info->dlpi_name);
+}
+
+static void dl_fini_post(struct dl_phdr_info *info, size_t size, void *data) {
+  (void)size, (void)data;
+  __android_log_print(ANDROID_LOG_WARN,  "test", "dl_fini, load_bias %" PRIxPTR ", %s", (uintptr_t)info->dlpi_addr, info->dlpi_name);
+}
+
+void register_callback(void) {
+    if (0 != shadowhook_register_dl_init_callback(dl_init_pre, NULL, NULL)) {
+        int error_num = shadowhook_get_errno();
+        const char *error_msg = shadowhook_to_errmsg(error_num);
+        __android_log_print(ANDROID_LOG_WARN,  "test", "dl_init failed: %d - %s", error_num, error_msg);
+    }
+
+    if (0 != shadowhook_register_dl_fini_callback(NULL, dl_fini_post, NULL)) {
+        int error_num = shadowhook_get_errno();
+        const char *error_msg = shadowhook_to_errmsg(error_num);
+        __android_log_print(ANDROID_LOG_WARN,  "test", "dl_fini failed: %d - %s", error_num, error_msg);
+    }
+}
+```
 
 # 错误码
 
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index e348822..228da75 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 #Thu Dec 30 21:41:31 CST 2021
 distributionBase=GRADLE_USER_HOME
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip
 distributionPath=wrapper/dists
 zipStorePath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
diff --git a/shadowhook/src/main/cpp/CMakeLists.txt b/shadowhook/src/main/cpp/CMakeLists.txt
index cd54de3..9fcd304 100644
--- a/shadowhook/src/main/cpp/CMakeLists.txt
+++ b/shadowhook/src/main/cpp/CMakeLists.txt
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.22.1)
+cmake_minimum_required(VERSION 3.30.5)
 project(shadowhook)
 
 if(${ANDROID_ABI} STREQUAL "arm64-v8a")
@@ -25,3 +25,11 @@ else()
     target_compile_options(${TARGET} PUBLIC -Oz -ffunction-sections -fdata-sections)
     target_link_options(${TARGET} PUBLIC -Oz -Wl,--exclude-libs,ALL -Wl,--gc-sections -Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/shadowhook.map.txt)
 endif()
+set(TARGET "shadowhook_nothing")
+add_library(${TARGET} SHARED nothing/sh_nothing.c)
+target_compile_options(${TARGET} PUBLIC -Oz -Weverything -Werror -fno-ident -fno-unwind-tables -fno-asynchronous-unwind-tables)
+target_link_options(${TARGET} PUBLIC ${ARCH_LINK_FLAGS} -Wl,--strip-all -Wl,--as-needed -Wl,--hash-style=sysv -Wl,--build-id=none -Wl,-nostdlib -nostartfiles -nodefaultlibs)
+find_program(LLVM_OBJCOPY_PATH NAMES "llvm-objcopy" PATHS ${ANDROID_NDK}/toolchains/llvm/prebuilt/*/bin NO_DEFAULT_PATH)
+if(LLVM_OBJCOPY_PATH)
+    add_custom_command(TARGET ${TARGET} POST_BUILD COMMAND ${LLVM_OBJCOPY_PATH} --remove-section=.comment --remove-section=.ARM.attributes $<TARGET_FILE:${TARGET}>)
+endif()
diff --git a/shadowhook/src/main/cpp/arch/arm/sh_inst.c b/shadowhook/src/main/cpp/arch/arm/sh_inst.c
index 4c8256e..27a8999 100644
--- a/shadowhook/src/main/cpp/arch/arm/sh_inst.c
+++ b/shadowhook/src/main/cpp/arch/arm/sh_inst.c
@@ -521,3 +521,15 @@ int sh_inst_unhook(sh_inst_t *self, uintptr_t target_addr) {
   SH_LOG_INFO("%s: unhook OK. target %" PRIxPTR, is_thumb ? "thumb" : "a32", target_addr);
   return 0;
 }
+
+void sh_inst_free_after_dlclose(sh_inst_t *self, uintptr_t target_addr) {
+  bool is_thumb = SH_UTIL_IS_THUMB(target_addr);
+
+  // free memory space for exit
+  if (0 != self->exit_addr) sh_exit_free_after_dlclose(self->exit_addr, (uint16_t)self->exit_type);
+
+  // free memory space for enter
+  sh_enter_free(self->enter_addr);
+
+  SH_LOG_INFO("%s: free_after_dlclose OK. target %" PRIxPTR, is_thumb ? "thumb" : "a32", target_addr);
+}
diff --git a/shadowhook/src/main/cpp/arch/arm/sh_inst.h b/shadowhook/src/main/cpp/arch/arm/sh_inst.h
index 48692d5..9213f9e 100644
--- a/shadowhook/src/main/cpp/arch/arm/sh_inst.h
+++ b/shadowhook/src/main/cpp/arch/arm/sh_inst.h
@@ -39,3 +39,5 @@ typedef struct {
 int sh_inst_hook(sh_inst_t *self, uintptr_t target_addr, xdl_info_t *dlinfo, uintptr_t new_addr,
                  uintptr_t *orig_addr, uintptr_t *orig_addr2);
 int sh_inst_unhook(sh_inst_t *self, uintptr_t target_addr);
+
+void sh_inst_free_after_dlclose(sh_inst_t *self, uintptr_t target_addr);
diff --git a/shadowhook/src/main/cpp/arch/arm/sh_t16.c b/shadowhook/src/main/cpp/arch/arm/sh_t16.c
index a4e0dd4..bbded3a 100644
--- a/shadowhook/src/main/cpp/arch/arm/sh_t16.c
+++ b/shadowhook/src/main/cpp/arch/arm/sh_t16.c
@@ -240,11 +240,11 @@ bool sh_t16_parse_it(sh_t16_it_t *it, uint16_t inst, uintptr_t pc) {
 
   // address of the first inst in the IT block, skip the IT inst itself (2 bytes)
   uintptr_t target_addr = pc - 4 + 2;
+  memset(it, 0, sizeof(sh_t16_it_t));
 
-  it->firstcond = (uint8_t)(inst >> 4u);
+  it->firstcond = (uint8_t)((inst >> 4u) & 0xF);
   uint8_t firstcond_0 = it->firstcond & 1u;
 
-  memset(it, 0, sizeof(sh_t16_it_t));
   it->insts_cnt = sh_t16_get_it_insts_count(inst);
 
   size_t insts_idx = 0, pcs_idx = 0;
diff --git a/shadowhook/src/main/cpp/arch/arm64/sh_inst.c b/shadowhook/src/main/cpp/arch/arm64/sh_inst.c
index 9cbdb84..372b815 100644
--- a/shadowhook/src/main/cpp/arch/arm64/sh_inst.c
+++ b/shadowhook/src/main/cpp/arch/arm64/sh_inst.c
@@ -201,3 +201,13 @@ int sh_inst_unhook(sh_inst_t *self, uintptr_t target_addr) {
   SH_LOG_INFO("a64: unhook OK. target %" PRIxPTR, target_addr);
   return 0;
 }
+
+void sh_inst_free_after_dlclose(sh_inst_t *self, uintptr_t target_addr) {
+  // free memory space for exit
+  if (0 != self->exit_addr) sh_exit_free_after_dlclose(self->exit_addr, (uint16_t)self->exit_type);
+
+  // free memory space for enter
+  sh_enter_free(self->enter_addr);
+
+  SH_LOG_INFO("a64: free_after_dlclose OK. target %" PRIxPTR, target_addr);
+}
diff --git a/shadowhook/src/main/cpp/arch/arm64/sh_inst.h b/shadowhook/src/main/cpp/arch/arm64/sh_inst.h
index 9fc2c9a..d89d366 100644
--- a/shadowhook/src/main/cpp/arch/arm64/sh_inst.h
+++ b/shadowhook/src/main/cpp/arch/arm64/sh_inst.h
@@ -40,3 +40,5 @@ typedef struct {
 int sh_inst_hook(sh_inst_t *self, uintptr_t target_addr, xdl_info_t *dlinfo, uintptr_t new_addr,
                  uintptr_t *orig_addr, uintptr_t *orig_addr2);
 int sh_inst_unhook(sh_inst_t *self, uintptr_t target_addr);
+
+void sh_inst_free_after_dlclose(sh_inst_t *self, uintptr_t target_addr);
diff --git a/shadowhook/src/main/cpp/common/bytesig.c b/shadowhook/src/main/cpp/common/bytesig.c
index 174ac0b..fc6b846 100644
--- a/shadowhook/src/main/cpp/common/bytesig.c
+++ b/shadowhook/src/main/cpp/common/bytesig.c
@@ -21,7 +21,7 @@
 
 // Created by Kelun Cai (caikelun@bytedance.com) on 2021-04-11.
 
-// version 1.0.4
+// version 1.0.5
 
 #include "bytesig.h"
 
@@ -96,8 +96,8 @@ __attribute__((constructor)) static void bytesig_ctor(void) {
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wpadded"
 typedef struct {
-  pid_t tids[BYTESIG_PROTECTED_THREADS_MAX];
-  sigjmp_buf *jbufs[BYTESIG_PROTECTED_THREADS_MAX];
+  pid_t tids[BYTESIG_PROTECTED_THREADS_MAX];         // atomic
+  sigjmp_buf *jbufs[BYTESIG_PROTECTED_THREADS_MAX];  // atomic
   union {
     struct sigaction64 prev_action64;
     struct sigaction prev_action;
@@ -128,7 +128,7 @@ __attribute__((noinline)) static void bytesig_handler_internal(int signum, sigin
   pid_t tid = gettid();
   if (__predict_false(0 == tid)) tid = (pid_t)syscall(SYS_gettid);
   for (size_t i = 0; i < BYTESIG_PROTECTED_THREADS_MAX; i++) {
-    if (__predict_false(tid == __atomic_load_n(&(sig->tids[i]), __ATOMIC_RELAXED))) {
+    if (__predict_false(tid == __atomic_load_n(&sig->tids[i], __ATOMIC_ACQUIRE))) {
       BYTESIG_LOG("siglongjmp signal %d (code %d) at %zu", signum, siginfo->si_code, i);
 
       unsigned int ret_signum = (((unsigned int)signum & 0xFFU) << 16U);
@@ -139,7 +139,7 @@ __attribute__((noinline)) static void bytesig_handler_internal(int signum, sigin
         ret_code = (unsigned int)(-(siginfo->si_code)) & 0xFFU;
       int ret_val = (int)(ret_signum | ret_code);
 
-      siglongjmp(*(__atomic_load_n(&(sig->jbufs[i]), __ATOMIC_RELAXED)), ret_val);
+      siglongjmp(*(__atomic_load_n(&sig->jbufs[i], __ATOMIC_RELAXED)), ret_val);
     }
   }
 
@@ -202,19 +202,18 @@ int bytesig_init(int signum) {
 
 #define SA_EXPOSE_TAGBITS 0x00000800
 
-#define REGISTER_SIGNAL_HANDLER(suffix)                                                                     \
-  do {                                                                                                      \
-    struct sigaction##suffix act;                                                                           \
-    memset(&act, 0, sizeof(struct sigaction##suffix));                                                      \
-    sigfillset##suffix(&act.sa_mask);                                                                       \
-    act.sa_sigaction = bytesig_handler;                                                                     \
-    act.sa_flags = SA_SIGINFO | SA_ONSTACK | SA_RESTART | SA_EXPOSE_TAGBITS;                                \
-    if (__predict_false(                                                                                    \
-            0 !=                                                                                            \
-            ((bytesig_sigaction##suffix##_t)bytesig_sigaction)(signum, &act, &sig->prev_action##suffix))) { \
-      free(sig);                                                                                            \
-      goto end;                                                                                             \
-    }                                                                                                       \
+#define REGISTER_SIGNAL_HANDLER(suffix)                                          \
+  do {                                                                           \
+    struct sigaction##suffix act;                                                \
+    memset(&act, 0, sizeof(struct sigaction##suffix));                           \
+    sigfillset##suffix(&act.sa_mask);                                            \
+    act.sa_sigaction = bytesig_handler;                                          \
+    act.sa_flags = SA_SIGINFO | SA_ONSTACK | SA_RESTART | SA_EXPOSE_TAGBITS;     \
+    if (__predict_false(0 != ((bytesig_sigaction##suffix##_t)bytesig_sigaction)( \
+                                 signum, &act, &sig->prev_action##suffix))) {    \
+      free(sig);                                                                 \
+      goto end;                                                                  \
+    }                                                                            \
   } while (0)
 
   // register the signal handler, we start off with all signals blocked
@@ -243,7 +242,7 @@ void bytesig_protect(pid_t tid, sigjmp_buf *jbuf, const int signums[], size_t si
     // check repeated thread
     bool repeated = false;
     for (size_t j = 0; j < BYTESIG_PROTECTED_THREADS_MAX; j++) {
-      if (__predict_false(tid == sig->tids[j])) {
+      if (__predict_false(tid == __atomic_load_n(&sig->tids[j], __ATOMIC_RELAXED))) {
         repeated = true;
         break;
       }
@@ -253,14 +252,12 @@ void bytesig_protect(pid_t tid, sigjmp_buf *jbuf, const int signums[], size_t si
     // save thread-ID and jump buffer
     size_t j = 0;
     while (1) {
-      if (0 == sig->tids[j]) {
-        pid_t expected = 0;
-        if (__atomic_compare_exchange_n(&sig->tids[j], &expected, tid, false, __ATOMIC_ACQUIRE,
-                                        __ATOMIC_RELAXED)) {
-          sig->jbufs[j] = jbuf;
-          BYTESIG_LOG("protect_start signal %d at %zu", signum, j);
-          break;  // finished
-        }
+      pid_t expected = 0;
+      if (__atomic_compare_exchange_n(&sig->tids[j], &expected, tid, false, __ATOMIC_RELEASE,
+                                      __ATOMIC_RELAXED)) {
+        __atomic_store_n(&sig->jbufs[j], jbuf, __ATOMIC_RELAXED);
+        BYTESIG_LOG("protect_start signal %d at %zu", signum, j);
+        break;  // finished
       }
 
       j++;
@@ -280,9 +277,9 @@ void bytesig_unprotect(pid_t tid, const int signums[], size_t signums_cnt) {
 
     // free thread-ID and jump buffer
     for (size_t j = 0; j < BYTESIG_PROTECTED_THREADS_MAX; j++) {
-      if (tid == sig->tids[j]) {
-        sig->jbufs[j] = NULL;
-        __atomic_store_n(&sig->tids[j], 0, __ATOMIC_RELEASE);
+      pid_t expected = tid;
+      if (__atomic_compare_exchange_n(&sig->tids[j], &expected, 0, false, __ATOMIC_RELEASE,
+                                      __ATOMIC_RELAXED)) {
         BYTESIG_LOG("protect_end signal %d at %zu", signum, j);
         break;  // finished
       }
diff --git a/shadowhook/src/main/cpp/common/bytesig.h b/shadowhook/src/main/cpp/common/bytesig.h
index b8fcd75..02781d9 100644
--- a/shadowhook/src/main/cpp/common/bytesig.h
+++ b/shadowhook/src/main/cpp/common/bytesig.h
@@ -21,7 +21,7 @@
 
 // Created by Kelun Cai (caikelun@bytedance.com) on 2021-04-11.
 
-// version 1.0.4
+// version 1.0.5
 
 /*
  * #include "bytesig.h"
@@ -138,8 +138,7 @@
   if (1 == _bytesig_protected_)                                                             \
     bytesig_unprotect(_bytesig_tid_, _bytesig_sigs_, sizeof(_bytesig_sigs_) / sizeof(int)); \
   }                                                                                         \
-  while (0)                                                                                 \
-    ;
+  while (0);
 
 #ifdef __cplusplus
 extern "C" {
diff --git a/shadowhook/src/main/cpp/common/sh_config.h b/shadowhook/src/main/cpp/common/sh_config.h
index 8fcd0b7..2cd27ac 100644
--- a/shadowhook/src/main/cpp/common/sh_config.h
+++ b/shadowhook/src/main/cpp/common/sh_config.h
@@ -27,7 +27,7 @@
 //
 // Note that in some cases these logs themselves can cause a crash.
 //
-//#define SH_CONFIG_DEBUG
+// #define SH_CONFIG_DEBUG
 
 // Operation record of hook and unhook.
 //
diff --git a/shadowhook/src/main/cpp/common/sh_errno.c b/shadowhook/src/main/cpp/common/sh_errno.c
index 210cfb4..6a32654 100644
--- a/shadowhook/src/main/cpp/common/sh_errno.c
+++ b/shadowhook/src/main/cpp/common/sh_errno.c
@@ -99,7 +99,11 @@ const char *sh_errno_to_errmsg(int error_number) {
                               /* 32 */ "Unhook on an error status task",
                               /* 33 */ "Unhook on an unfinished task",
                               /* 34 */ "ELF with an unsupported architecture",
-                              /* 35 */ "Linker with an unsupported architecture"};
+                              /* 35 */ "Linker with an unsupported architecture",
+                              /* 36 */ "Duplicate register callback",
+                              /* 37 */ "Unregister not-existed callback",
+                              /* 38 */ "Register callback not supported",
+                              /* 39 */ "TaskManager init Failed"};
 
   if (error_number < 0 || error_number >= (int)(sizeof(msg) / sizeof(msg[0]))) return "Unknown error number";
 
diff --git a/shadowhook/src/main/cpp/common/sh_sig.h b/shadowhook/src/main/cpp/common/sh_sig.h
index 66e5397..fa4682d 100644
--- a/shadowhook/src/main/cpp/common/sh_sig.h
+++ b/shadowhook/src/main/cpp/common/sh_sig.h
@@ -43,7 +43,6 @@
 #define SH_SIG_EXIT \
   }                 \
   }                 \
-  while (0)         \
-    ;
+  while (0);
 
 #endif
diff --git a/shadowhook/src/main/cpp/common/sh_trampo.c b/shadowhook/src/main/cpp/common/sh_trampo.c
index 555d877..a5673b8 100644
--- a/shadowhook/src/main/cpp/common/sh_trampo.c
+++ b/shadowhook/src/main/cpp/common/sh_trampo.c
@@ -36,37 +36,35 @@
 
 #define SH_TRAMPO_ALIGN 4
 
-void sh_trampo_init_mgr(sh_trampo_mgr_t *mem_mgr, const char *page_name, size_t trampo_size,
-                        time_t delay_sec) {
-  SLIST_INIT(&mem_mgr->pages);
-  pthread_mutex_init(&mem_mgr->pages_lock, NULL);
-  mem_mgr->page_name = page_name;
-  mem_mgr->trampo_size = SH_UTIL_ALIGN_END(trampo_size, SH_TRAMPO_ALIGN);
-  mem_mgr->delay_sec = delay_sec;
+void sh_trampo_init_mgr(sh_trampo_mgr_t *mgr, const char *page_name, size_t trampo_size, time_t delay_sec) {
+  SLIST_INIT(&mgr->pages);
+  pthread_mutex_init(&mgr->pages_lock, NULL);
+  mgr->page_name = page_name;
+  mgr->trampo_size = SH_UTIL_ALIGN_END(trampo_size, SH_TRAMPO_ALIGN);
+  mgr->delay_sec = delay_sec;
 }
 
-uintptr_t sh_trampo_alloc(sh_trampo_mgr_t *mem_mgr, uintptr_t hint, uintptr_t range_low,
-                          uintptr_t range_high) {
-  uintptr_t mem = 0;
+uintptr_t sh_trampo_alloc(sh_trampo_mgr_t *mgr, uintptr_t hint, uintptr_t range_low, uintptr_t range_high) {
+  uintptr_t trampo = 0;
   uintptr_t new_ptr;
   uintptr_t new_ptr_prctl = (uintptr_t)MAP_FAILED;
   size_t trampo_page_size = sh_util_get_page_size();
-  size_t count = trampo_page_size / mem_mgr->trampo_size;
+  size_t count = trampo_page_size / mgr->trampo_size;
 
   if (range_low > hint) range_low = hint;
   if (range_high > UINTPTR_MAX - hint) range_high = UINTPTR_MAX - hint;
 
   struct timeval now;
-  if (mem_mgr->delay_sec > 0) gettimeofday(&now, NULL);
+  if (mgr->delay_sec > 0) gettimeofday(&now, NULL);
 
-  pthread_mutex_lock(&mem_mgr->pages_lock);
+  pthread_mutex_lock(&mgr->pages_lock);
 
-  // try to find an unused mem
+  // try to find an unused trampo
   sh_trampo_page_t *page;
-  SLIST_FOREACH(page, &mem_mgr->pages, link) {
+  SLIST_FOREACH(page, &mgr->pages, link) {
     // check hit range
     uintptr_t page_trampo_start = page->ptr;
-    uintptr_t page_trampo_end = page->ptr + trampo_page_size - mem_mgr->trampo_size;
+    uintptr_t page_trampo_end = page->ptr + trampo_page_size - mgr->trampo_size;
     if (hint > 0 && ((page_trampo_end < hint - range_low) || (hint + range_high < page_trampo_start)))
       continue;
 
@@ -76,32 +74,32 @@ uintptr_t sh_trampo_alloc(sh_trampo_mgr_t *mem_mgr, uintptr_t hint, uintptr_t ra
       if (0 == (page->flags[flags_idx] & mask))  // check flag
       {
         // check timestamp
-        if (mem_mgr->delay_sec > 0 &&
-            (now.tv_sec <= page->timestamps[i] || now.tv_sec - page->timestamps[i] <= mem_mgr->delay_sec))
+        if (mgr->delay_sec > 0 &&
+            (now.tv_sec <= page->timestamps[i] || now.tv_sec - page->timestamps[i] <= mgr->delay_sec))
           continue;
 
         // check hit range
-        uintptr_t cur = page->ptr + (mem_mgr->trampo_size * i);
+        uintptr_t cur = page->ptr + (mgr->trampo_size * i);
         if (hint > 0 && ((cur < hint - range_low) || (hint + range_high < cur))) continue;
 
         // OK
         page->flags[flags_idx] |= mask;
-        mem = cur;
-        memset((void *)mem, 0, mem_mgr->trampo_size);
+        trampo = cur;
+        memset((void *)trampo, 0, mgr->trampo_size);
         goto end;
       }
     }
   }
 
-  // alloc a new mem page
+  // alloc a new memory page
   new_ptr = (uintptr_t)(mmap(hint > 0 ? (void *)(hint - range_low) : NULL, trampo_page_size,
                              PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0));
   if ((uintptr_t)MAP_FAILED == new_ptr) goto err;
   new_ptr_prctl = new_ptr;
 
   // check hit range
-  if (hint > 0 && ((hint - range_low >= new_ptr + trampo_page_size - mem_mgr->trampo_size) ||
-                   (hint + range_high < new_ptr)))
+  if (hint > 0 &&
+      ((hint - range_low >= new_ptr + trampo_page_size - mgr->trampo_size) || (hint + range_high < new_ptr)))
     goto err;
 
   // create a new trampo-page info
@@ -111,35 +109,35 @@ uintptr_t sh_trampo_alloc(sh_trampo_mgr_t *mem_mgr, uintptr_t hint, uintptr_t ra
   new_ptr = (uintptr_t)MAP_FAILED;
   if (NULL == (page->flags = calloc(1, SH_UTIL_ALIGN_END(count, 32) / 8))) goto err;
   page->timestamps = NULL;
-  if (mem_mgr->delay_sec > 0) {
+  if (mgr->delay_sec > 0) {
     if (NULL == (page->timestamps = calloc(1, count * sizeof(time_t)))) goto err;
   }
-  SLIST_INSERT_HEAD(&mem_mgr->pages, page, link);
+  SLIST_INSERT_HEAD(&mgr->pages, page, link);
 
-  // alloc mem from the new mem page
+  // alloc trampo from the new memory page
   for (uintptr_t i = 0; i < count; i++) {
     size_t flags_idx = i / 32;
     uint32_t mask = (uint32_t)1 << (i % 32);
 
     // check hit range
-    uintptr_t find = page->ptr + (mem_mgr->trampo_size * i);
+    uintptr_t find = page->ptr + (mgr->trampo_size * i);
     if (hint > 0 && ((find < hint - range_low) || (hint + range_high < find))) continue;
 
     // OK
     page->flags[flags_idx] |= mask;
-    mem = find;
+    trampo = find;
     break;
   }
-  if (0 == mem) abort();
+  if (0 == trampo) abort();
 
 end:
-  pthread_mutex_unlock(&mem_mgr->pages_lock);
+  pthread_mutex_unlock(&mgr->pages_lock);
   if ((uintptr_t)MAP_FAILED != new_ptr_prctl)
-    prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, new_ptr_prctl, trampo_page_size, mem_mgr->page_name);
-  return mem;
+    prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, new_ptr_prctl, trampo_page_size, mgr->page_name);
+  return trampo;
 
 err:
-  pthread_mutex_unlock(&mem_mgr->pages_lock);
+  pthread_mutex_unlock(&mgr->pages_lock);
   if (NULL != page) {
     if (0 != page->ptr) munmap((void *)page->ptr, trampo_page_size);
     if (NULL != page->flags) free(page->flags);
@@ -150,24 +148,24 @@ uintptr_t sh_trampo_alloc(sh_trampo_mgr_t *mem_mgr, uintptr_t hint, uintptr_t ra
   return 0;
 }
 
-void sh_trampo_free(sh_trampo_mgr_t *mem_mgr, uintptr_t mem) {
+void sh_trampo_free(sh_trampo_mgr_t *mgr, uintptr_t trampo) {
   struct timeval now;
-  if (mem_mgr->delay_sec > 0) gettimeofday(&now, NULL);
+  if (mgr->delay_sec > 0) gettimeofday(&now, NULL);
 
-  pthread_mutex_lock(&mem_mgr->pages_lock);
+  pthread_mutex_lock(&mgr->pages_lock);
 
   size_t trampo_page_size = sh_util_get_page_size();
   sh_trampo_page_t *page;
-  SLIST_FOREACH(page, &mem_mgr->pages, link) {
-    if (page->ptr <= mem && mem < page->ptr + trampo_page_size) {
-      uintptr_t i = (mem - page->ptr) / mem_mgr->trampo_size;
+  SLIST_FOREACH(page, &mgr->pages, link) {
+    if (page->ptr <= trampo && trampo < page->ptr + trampo_page_size) {
+      uintptr_t i = (trampo - page->ptr) / mgr->trampo_size;
       size_t flags_idx = i / 32;
       uint32_t mask = (uint32_t)1 << (i % 32);
-      if (mem_mgr->delay_sec > 0) page->timestamps[i] = now.tv_sec;
+      if (mgr->delay_sec > 0) page->timestamps[i] = now.tv_sec;
       page->flags[flags_idx] &= ~mask;
       break;
     }
   }
 
-  pthread_mutex_unlock(&mem_mgr->pages_lock);
+  pthread_mutex_unlock(&mgr->pages_lock);
 }
diff --git a/shadowhook/src/main/cpp/common/sh_trampo.h b/shadowhook/src/main/cpp/common/sh_trampo.h
index 404be1c..6b05cf1 100644
--- a/shadowhook/src/main/cpp/common/sh_trampo.h
+++ b/shadowhook/src/main/cpp/common/sh_trampo.h
@@ -44,9 +44,7 @@ typedef struct sh_trampo_mgr {
   time_t delay_sec;
 } sh_trampo_mgr_t;
 
-void sh_trampo_init_mgr(sh_trampo_mgr_t *mem_mgr, const char *page_name, size_t trampo_size,
-                        time_t delay_sec);
+void sh_trampo_init_mgr(sh_trampo_mgr_t *mgr, const char *page_name, size_t trampo_size, time_t delay_sec);
 
-uintptr_t sh_trampo_alloc(sh_trampo_mgr_t *mem_mgr, uintptr_t hint, uintptr_t low_offset,
-                          uintptr_t high_offset);
-void sh_trampo_free(sh_trampo_mgr_t *mem_mgr, uintptr_t mem);
+uintptr_t sh_trampo_alloc(sh_trampo_mgr_t *mgr, uintptr_t hint, uintptr_t low_offset, uintptr_t high_offset);
+void sh_trampo_free(sh_trampo_mgr_t *mgr, uintptr_t trampo);
diff --git a/shadowhook/src/main/cpp/common/sh_util.c b/shadowhook/src/main/cpp/common/sh_util.c
index e480b27..2305bf0 100644
--- a/shadowhook/src/main/cpp/common/sh_util.c
+++ b/shadowhook/src/main/cpp/common/sh_util.c
@@ -35,6 +35,7 @@
 #include "sh_log.h"
 #include "sh_sig.h"
 #include "shadowhook.h"
+#include "xdl.h"
 
 static size_t sh_util_page_size = 0;
 
@@ -109,7 +110,7 @@ int sh_util_write_inst(uintptr_t target_addr, void *inst, size_t inst_len) {
   return 0;  // OK
 }
 
-static bool sh_util_starts_with(const char *str, const char *start) {
+bool sh_util_starts_with(const char *str, const char *start) {
   while (*str && *str == *start) {
     str++;
     start++;
@@ -118,6 +119,15 @@ static bool sh_util_starts_with(const char *str, const char *start) {
   return '\0' == *start;
 }
 
+bool sh_util_ends_with(const char *str, const char *ending) {
+  size_t str_len = strlen(str);
+  size_t ending_len = strlen(ending);
+
+  if (ending_len > str_len) return false;
+
+  return 0 == strcmp(str + (str_len - ending_len), ending);
+}
+
 static int sh_util_get_api_level_from_build_prop(void) {
   char buf[128];
   int api_level = -1;
@@ -554,3 +564,17 @@ size_t sh_util_snprintf(char *buffer, size_t buffer_size, const char *format, ..
   va_end(args);
   return buffer_len;
 }
+
+bool sh_util_is_in_elf_pt_load(xdl_info_t *dlinfo, uintptr_t addr) {
+  if (addr < (uintptr_t)dlinfo->dli_fbase) return false;
+
+  uintptr_t vaddr = addr - (uintptr_t)dlinfo->dli_fbase;
+  for (size_t i = 0; i < dlinfo->dlpi_phnum; i++) {
+    const ElfW(Phdr) *phdr = &(dlinfo->dlpi_phdr[i]);
+    if (PT_LOAD != phdr->p_type) continue;
+
+    if (phdr->p_vaddr <= vaddr && vaddr < phdr->p_vaddr + phdr->p_memsz) return true;
+  }
+
+  return false;
+}
diff --git a/shadowhook/src/main/cpp/common/sh_util.h b/shadowhook/src/main/cpp/common/sh_util.h
index 5958caf..8fe3397 100644
--- a/shadowhook/src/main/cpp/common/sh_util.h
+++ b/shadowhook/src/main/cpp/common/sh_util.h
@@ -30,6 +30,14 @@
 #include <stdint.h>
 #include <time.h>
 
+#include "xdl.h"
+
+#if defined(__arm__) && __ANDROID_API__ < __ANDROID_API_L__
+#define SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X 1
+#else
+#define SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X 0
+#endif
+
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wreserved-id-macro"
 #ifndef __ANDROID_API_U__
@@ -37,14 +45,14 @@
 #endif
 #pragma clang diagnostic pop
 
-#define SH_UTIL_ALIGN_START(x, align) ((uintptr_t)(x) & ~((uintptr_t)(align)-1))
-#define SH_UTIL_ALIGN_END(x, align)   (((uintptr_t)(x) + (uintptr_t)(align)-1) & ~((uintptr_t)(align)-1))
+#define SH_UTIL_ALIGN_START(x, align) ((uintptr_t)(x) & ~((uintptr_t)(align) - 1))
+#define SH_UTIL_ALIGN_END(x, align)   (((uintptr_t)(x) + (uintptr_t)(align) - 1) & ~((uintptr_t)(align) - 1))
 
-#define SH_UTIL_IS_THUMB(addr)   ((addr)&1u)
-#define SH_UTIL_CLEAR_BIT0(addr) ((addr)&0xFFFFFFFE)
+#define SH_UTIL_IS_THUMB(addr)   ((addr) & 1u)
+#define SH_UTIL_CLEAR_BIT0(addr) ((addr) & 0xFFFFFFFE)
 #define SH_UTIL_SET_BIT0(addr)   ((addr) | 1u)
 
-#define SH_UTIL_ALIGN_4(pc) ((pc)&0xFFFFFFFC)
+#define SH_UTIL_ALIGN_4(pc) ((pc) & 0xFFFFFFFC)
 #define SH_UTIL_SIGN_EXTEND_32(n, len) \
   ((SH_UTIL_GET_BIT_32(n, len - 1) > 0) ? ((n) | (0xFFFFFFFF << (len))) : n)
 #define SH_UTIL_SIGN_EXTEND_64(n, len) \
@@ -94,6 +102,9 @@ uint32_t sh_util_arm_expand_imm(uint32_t opcode);
 
 int sh_util_write_inst(uintptr_t target_addr, void *inst, size_t inst_len);
 
+bool sh_util_starts_with(const char *str, const char *start);
+bool sh_util_ends_with(const char *str, const char *ending);
+
 int sh_util_get_api_level(void);
 
 int sh_util_write(int fd, const char *buf, size_t buf_len);
@@ -102,3 +113,5 @@ struct tm *sh_util_localtime_r(const time_t *timep, long gmtoff, struct tm *resu
 
 size_t sh_util_vsnprintf(char *buffer, size_t buffer_size, const char *format, va_list args);
 size_t sh_util_snprintf(char *buffer, size_t buffer_size, const char *format, ...);
+
+bool sh_util_is_in_elf_pt_load(xdl_info_t *dlinfo, uintptr_t addr);
diff --git a/shadowhook/src/main/cpp/include/shadowhook.h b/shadowhook/src/main/cpp/include/shadowhook.h
index 42b1418..eda9529 100644
--- a/shadowhook/src/main/cpp/include/shadowhook.h
+++ b/shadowhook/src/main/cpp/include/shadowhook.h
@@ -31,10 +31,11 @@
 #ifndef BYTEDANCE_SHADOWHOOK_H
 #define BYTEDANCE_SHADOWHOOK_H
 
+#include <link.h>
 #include <stdbool.h>
 #include <stdint.h>
 
-#define SHADOWHOOK_VERSION "1.0.10"
+#define SHADOWHOOK_VERSION "1.1.1"
 
 #define SHADOWHOOK_ERRNO_OK                     0
 #define SHADOWHOOK_ERRNO_PENDING                1
@@ -72,6 +73,10 @@
 #define SHADOWHOOK_ERRNO_UNHOOK_ON_UNFINISHED   33
 #define SHADOWHOOK_ERRNO_ELF_ARCH_MISMATCH      34
 #define SHADOWHOOK_ERRNO_LINKER_ARCH_MISMATCH   35
+#define SHADOWHOOK_ERRNO_DUP                    36
+#define SHADOWHOOK_ERRNO_NOT_FOUND              37
+#define SHADOWHOOK_ERRNO_NOT_SUPPORT            38
+#define SHADOWHOOK_ERRNO_INIT_TASK              39
 
 #ifdef __cplusplus
 extern "C" {
@@ -132,6 +137,13 @@ void *shadowhook_dlsym(void *handle, const char *sym_name);
 void *shadowhook_dlsym_dynsym(void *handle, const char *sym_name);
 void *shadowhook_dlsym_symtab(void *handle, const char *sym_name);
 
+// register and unregister callbacks for executing dynamic library's .init .init_array / .fini .fini_array
+typedef void (*shadowhook_dl_info_t)(struct dl_phdr_info *info, size_t size, void *data);
+int shadowhook_register_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int shadowhook_unregister_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int shadowhook_register_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int shadowhook_unregister_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+
 // for internal use
 void *shadowhook_get_prev_func(void *func);
 void shadowhook_pop_stack(void *return_address);
diff --git a/shadowhook/src/main/cpp/nothing/sh_nothing.c b/shadowhook/src/main/cpp/nothing/sh_nothing.c
new file mode 100644
index 0000000..dd26a8b
--- /dev/null
+++ b/shadowhook/src/main/cpp/nothing/sh_nothing.c
@@ -0,0 +1,4 @@
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-variable"
+static int a;
+#pragma clang diagnostic pop
diff --git a/shadowhook/src/main/cpp/sh_exit.c b/shadowhook/src/main/cpp/sh_exit.c
index a167523..f38084b 100644
--- a/shadowhook/src/main/cpp/sh_exit.c
+++ b/shadowhook/src/main/cpp/sh_exit.c
@@ -63,23 +63,14 @@ extern __attribute((weak)) unsigned long int getauxval(unsigned long int);
 static pthread_mutex_t sh_exit_lock = PTHREAD_MUTEX_INITIALIZER;
 static sh_trampo_mgr_t sh_exit_trampo_mgr;
 
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wpadded"
-typedef struct {
-  uintptr_t load_bias;
-  const ElfW(Phdr) *dlpi_phdr;
-  ElfW(Half) dlpi_phnum;
-} sh_exit_elfinfo_t;
-#pragma clang diagnostic pop
-
-static sh_exit_elfinfo_t sh_exit_app_process_info;
-static sh_exit_elfinfo_t sh_exit_linker_info;
-static sh_exit_elfinfo_t sh_exit_vdso_info;  // vdso may not exist
+static xdl_info_t sh_exit_app_process_info;
+static xdl_info_t sh_exit_linker_info;
+static xdl_info_t sh_exit_vdso_info;  // vdso may not exist
 
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wgnu-statement-expression"
 
-static void sh_exit_init_elfinfo(unsigned long type, sh_exit_elfinfo_t *info) {
+static void sh_exit_init_elfinfo(unsigned long type, xdl_info_t *info) {
   if (__predict_false(NULL == getauxval)) goto err;
 
   uintptr_t val = (uintptr_t)getauxval(type);
@@ -105,13 +96,13 @@ static void sh_exit_init_elfinfo(unsigned long type, sh_exit_elfinfo_t *info) {
   if (__predict_false(UINTPTR_MAX == min_vaddr || base < min_vaddr)) goto err;
   uintptr_t load_bias = base - min_vaddr;
 
-  info->load_bias = load_bias;
+  info->dli_fbase = (void *)load_bias;
   info->dlpi_phdr = dlpi_phdr;
   info->dlpi_phnum = dlpi_phnum;
   return;
 
 err:
-  info->load_bias = 0;
+  info->dli_fbase = 0;
   info->dlpi_phdr = NULL;
   info->dlpi_phnum = 0;
 }
@@ -231,30 +222,16 @@ static size_t sh_exit_get_gaps(xdl_info_t *dlinfo, sh_exit_gap_t *gaps, size_t g
   return gaps_used;
 }
 
-static bool sh_exit_is_in_elf_range(uintptr_t pc, sh_exit_elfinfo_t *info) {
-  if (pc < info->load_bias) return false;
-
-  uintptr_t vaddr = pc - info->load_bias;
-  for (size_t i = 0; i < info->dlpi_phnum; i++) {
-    const ElfW(Phdr) *phdr = &(info->dlpi_phdr[i]);
-    if (PT_LOAD != phdr->p_type) continue;
-
-    if (phdr->p_vaddr <= vaddr && vaddr < phdr->p_vaddr + phdr->p_memsz) return true;
-  }
-
-  return false;
-}
-
 static bool sh_exit_is_elf_loaded_by_kernel(uintptr_t pc) {
   if (NULL == sh_exit_app_process_info.dlpi_phdr) return true;
-  if (sh_exit_is_in_elf_range(pc, &sh_exit_app_process_info)) return true;
+  if (sh_util_is_in_elf_pt_load(&sh_exit_app_process_info, pc)) return true;
 
   if (NULL == sh_exit_linker_info.dlpi_phdr) return true;
-  if (sh_exit_is_in_elf_range(pc, &sh_exit_linker_info)) return true;
+  if (sh_util_is_in_elf_pt_load(&sh_exit_linker_info, pc)) return true;
 
   // vdso may not exist
   if (NULL != sh_exit_vdso_info.dlpi_phdr)
-    if (sh_exit_is_in_elf_range(pc, &sh_exit_vdso_info)) return true;
+    if (sh_util_is_in_elf_pt_load(&sh_exit_vdso_info, pc)) return true;
 
   return false;
 }
@@ -417,4 +394,10 @@ int sh_exit_free(uintptr_t exit_addr, uint16_t exit_type, uint8_t *exit, size_t
     return sh_exit_free_in_library(exit_addr, exit, exit_len);
 }
 
+void sh_exit_free_after_dlclose(uintptr_t exit_addr, uint16_t exit_type) {
+  if (SH_EXIT_TYPE_OUT_LIBRARY == exit_type) {
+    sh_exit_free_out_library(exit_addr);
+  }
+}
+
 #pragma clang diagnostic pop
diff --git a/shadowhook/src/main/cpp/sh_exit.h b/shadowhook/src/main/cpp/sh_exit.h
index fbc99da..64df18e 100644
--- a/shadowhook/src/main/cpp/sh_exit.h
+++ b/shadowhook/src/main/cpp/sh_exit.h
@@ -32,3 +32,4 @@ void sh_exit_init(void);
 int sh_exit_alloc(uintptr_t *exit_addr, uint16_t *exit_type, uintptr_t pc, xdl_info_t *dlinfo, uint8_t *exit,
                   size_t exit_len, size_t range_low, size_t range_high);
 int sh_exit_free(uintptr_t exit_addr, uint16_t exit_type, uint8_t *exit, size_t exit_len);
+void sh_exit_free_after_dlclose(uintptr_t exit_addr, uint16_t exit_type);
diff --git a/shadowhook/src/main/cpp/sh_hub.c b/shadowhook/src/main/cpp/sh_hub.c
index 2935821..3bbcd71 100644
--- a/shadowhook/src/main/cpp/sh_hub.c
+++ b/shadowhook/src/main/cpp/sh_hub.c
@@ -102,6 +102,7 @@ static sh_trampo_mgr_t sh_hub_trampo_mgr;
 static pthread_key_t sh_hub_stack_tls_key;
 static sh_hub_stack_t *sh_hub_stack_cache;
 static uint8_t *sh_hub_stack_cache_used;
+static pthread_key_t sh_hub_stack_reserved_tls_key;
 
 // hub trampoline template
 extern void *sh_hub_trampo_template_data __attribute__((visibility("hidden")));
@@ -225,8 +226,9 @@ static void sh_hub_stack_destroy(void *buf) {
     SH_LOG_DEBUG("hub: return stack to global cache[%zu] %p", i, buf);
   } else {
     // munmap stack
-    munmap(buf, SH_HUB_STACK_SIZE);
+    sh_safe_munmap(buf, SH_HUB_STACK_SIZE);
   }
+  sh_safe_pthread_setspecific(sh_hub_stack_reserved_tls_key, (const void *)1);
 }
 
 int sh_hub_init(void) {
@@ -235,6 +237,7 @@ int sh_hub_init(void) {
 
   // init TLS key
   if (__predict_false(0 != pthread_key_create(&sh_hub_stack_tls_key, sh_hub_stack_destroy))) return -1;
+  if (__predict_false(0 != pthread_key_create(&sh_hub_stack_reserved_tls_key, NULL))) return -1;
 
   // init hub's stack cache
   if (__predict_false(NULL == (sh_hub_stack_cache = malloc(SH_HUB_THREAD_MAX * sizeof(sh_hub_stack_t)))))
@@ -252,6 +255,9 @@ int sh_hub_init(void) {
 }
 
 static void *sh_hub_push_stack(sh_hub_t *self, void *return_address) {
+  sh_hub_stack_t *reserved_stack =
+      (sh_hub_stack_t *)sh_safe_pthread_getspecific(sh_hub_stack_reserved_tls_key);
+  if (reserved_stack != NULL) goto end;
   sh_hub_stack_t *stack = (sh_hub_stack_t *)sh_safe_pthread_getspecific(sh_hub_stack_tls_key);
 
   // create stack, only once
@@ -313,7 +319,7 @@ void sh_hub_pop_stack(void *return_address) {
   }
 }
 
-sh_hub_t *sh_hub_create(uintptr_t target_addr, uintptr_t *trampo) {
+sh_hub_t *sh_hub_create(uintptr_t *trampo) {
   size_t code_size = (uintptr_t)(&sh_hub_trampo_template_data) - (uintptr_t)(sh_hub_trampo_template_start());
   size_t data_size = sizeof(void *) + sizeof(void *);
 
@@ -341,7 +347,7 @@ sh_hub_t *sh_hub_create(uintptr_t target_addr, uintptr_t *trampo) {
   }
   SH_SIG_EXIT
 
-  // file in data
+  // fill in data
   void **data = (void **)(self->trampo + code_size);
   *data++ = (void *)sh_hub_push_stack;
   *data = (void *)self;
@@ -355,8 +361,8 @@ sh_hub_t *sh_hub_create(uintptr_t target_addr, uintptr_t *trampo) {
   *trampo = self->trampo;
 #endif
 
-  SH_LOG_INFO("hub: create trampo for target_addr %" PRIxPTR " at %" PRIxPTR ", size %zu + %zu = %zu",
-              target_addr, *trampo, code_size, data_size, code_size + data_size);
+  SH_LOG_INFO("hub: create trampo at %" PRIxPTR ", size %zu + %zu = %zu", *trampo, code_size, data_size,
+              code_size + data_size);
   return self;
 }
 
@@ -375,33 +381,32 @@ static void sh_hub_destroy_inner(sh_hub_t *self) {
 }
 
 void sh_hub_destroy(sh_hub_t *self, bool with_delay) {
-  if (SHADOWHOOK_IS_SHARED_MODE) {
-    struct timeval now;
-    gettimeofday(&now, NULL);
-
-    if (!LIST_EMPTY(&sh_hub_delayed_destroy)) {
-      pthread_mutex_lock(&sh_hub_delayed_destroy_lock);
-      sh_hub_t *hub, *hub_tmp;
-      LIST_FOREACH_SAFE(hub, &sh_hub_delayed_destroy, link, hub_tmp)
+  struct timeval now;
+  gettimeofday(&now, NULL);
+
+  if (!LIST_EMPTY(&sh_hub_delayed_destroy)) {
+    pthread_mutex_lock(&sh_hub_delayed_destroy_lock);
+    sh_hub_t *hub, *hub_tmp;
+    LIST_FOREACH_SAFE(hub, &sh_hub_delayed_destroy, link, hub_tmp) {
       if (now.tv_sec - hub->destroy_ts > SH_HUB_DELAY_SEC) {
         LIST_REMOVE(hub, link);
         sh_hub_destroy_inner(hub);
       }
-      pthread_mutex_unlock(&sh_hub_delayed_destroy_lock);
     }
+    pthread_mutex_unlock(&sh_hub_delayed_destroy_lock);
+  }
+
+  if (with_delay) {
+    self->destroy_ts = now.tv_sec;
+    sh_trampo_free(&sh_hub_trampo_mgr, self->trampo);
+    self->trampo = 0;
 
-    if (with_delay) {
-      self->destroy_ts = now.tv_sec;
-      sh_trampo_free(&sh_hub_trampo_mgr, self->trampo);
-      self->trampo = 0;
-
-      pthread_mutex_lock(&sh_hub_delayed_destroy_lock);
-      LIST_INSERT_HEAD(&sh_hub_delayed_destroy, self, link);
-      pthread_mutex_unlock(&sh_hub_delayed_destroy_lock);
-    } else
-      sh_hub_destroy_inner(self);
-  } else
+    pthread_mutex_lock(&sh_hub_delayed_destroy_lock);
+    LIST_INSERT_HEAD(&sh_hub_delayed_destroy, self, link);
+    pthread_mutex_unlock(&sh_hub_delayed_destroy_lock);
+  } else {
     sh_hub_destroy_inner(self);
+  }
 }
 
 uintptr_t sh_hub_get_orig_addr(sh_hub_t *self) {
@@ -412,7 +417,7 @@ uintptr_t *sh_hub_get_orig_addr_addr(sh_hub_t *self) {
   return &self->orig_addr;
 }
 
-int sh_hub_add_proxy(sh_hub_t *self, uintptr_t func) {
+int sh_hub_add_proxy(sh_hub_t *self, uintptr_t proxy_func) {
   int r = SHADOWHOOK_ERRNO_OK;
 
   pthread_mutex_lock(&self->proxies_lock);
@@ -420,7 +425,7 @@ int sh_hub_add_proxy(sh_hub_t *self, uintptr_t func) {
   // check repeated funcion
   sh_hub_proxy_t *proxy;
   SLIST_FOREACH(proxy, &self->proxies, link) {
-    if (proxy->enabled && proxy->func == (void *)func) {
+    if (proxy->enabled && proxy->func == (void *)proxy_func) {
       r = SHADOWHOOK_ERRNO_HOOK_DUP;
       goto end;
     }
@@ -428,10 +433,10 @@ int sh_hub_add_proxy(sh_hub_t *self, uintptr_t func) {
 
   // try to re-enable an exists item
   SLIST_FOREACH(proxy, &self->proxies, link) {
-    if (proxy->func == (void *)func) {
+    if (proxy->func == (void *)proxy_func) {
       if (!proxy->enabled) __atomic_store_n((bool *)&proxy->enabled, true, __ATOMIC_SEQ_CST);
 
-      SH_LOG_INFO("hub: add(re-enable) func %" PRIxPTR, func);
+      SH_LOG_INFO("hub: add(re-enable) func %" PRIxPTR, proxy_func);
       goto end;
     }
   }
@@ -441,7 +446,7 @@ int sh_hub_add_proxy(sh_hub_t *self, uintptr_t func) {
     r = SHADOWHOOK_ERRNO_OOM;
     goto end;
   }
-  proxy->func = (void *)func;
+  proxy->func = (void *)proxy_func;
   proxy->enabled = true;
 
   // insert to the head of the proxy-list
@@ -449,14 +454,14 @@ int sh_hub_add_proxy(sh_hub_t *self, uintptr_t func) {
   // but: __ATOMIC_RELEASE ensures readers see only fully-constructed item
   SLIST_NEXT(proxy, link) = SLIST_FIRST(&self->proxies);
   __atomic_store_n((uintptr_t *)(&SLIST_FIRST(&self->proxies)), (uintptr_t)proxy, __ATOMIC_RELEASE);
-  SH_LOG_INFO("hub: add(new) func %" PRIxPTR, func);
+  SH_LOG_INFO("hub: add(new) func %" PRIxPTR, proxy_func);
 
 end:
   pthread_mutex_unlock(&self->proxies_lock);
   return r;
 }
 
-int sh_hub_del_proxy(sh_hub_t *self, uintptr_t func, bool *have_enabled_proxy) {
+int sh_hub_del_proxy(sh_hub_t *self, uintptr_t proxy_func, bool *have_enabled_proxy) {
   *have_enabled_proxy = false;
 
   pthread_mutex_lock(&self->proxies_lock);
@@ -464,11 +469,11 @@ int sh_hub_del_proxy(sh_hub_t *self, uintptr_t func, bool *have_enabled_proxy) {
   sh_hub_proxy_t *proxy;
   bool deleted = false;
   SLIST_FOREACH(proxy, &self->proxies, link) {
-    if (proxy->func == (void *)func) {
+    if (proxy->func == (void *)proxy_func) {
       if (proxy->enabled) __atomic_store_n((bool *)&proxy->enabled, false, __ATOMIC_SEQ_CST);
 
       deleted = true;
-      SH_LOG_INFO("hub: del func %" PRIxPTR, func);
+      SH_LOG_INFO("hub: del func %" PRIxPTR, proxy_func);
     }
 
     if (proxy->enabled && !*have_enabled_proxy) *have_enabled_proxy = true;
diff --git a/shadowhook/src/main/cpp/sh_hub.h b/shadowhook/src/main/cpp/sh_hub.h
index 2e5f91f..e7396f4 100644
--- a/shadowhook/src/main/cpp/sh_hub.h
+++ b/shadowhook/src/main/cpp/sh_hub.h
@@ -29,14 +29,14 @@ int sh_hub_init(void);
 
 typedef struct sh_hub sh_hub_t;
 
-sh_hub_t *sh_hub_create(uintptr_t target_addr, uintptr_t *trampo);
+sh_hub_t *sh_hub_create(uintptr_t *trampo);
 void sh_hub_destroy(sh_hub_t *self, bool with_delay);
 
 uintptr_t sh_hub_get_orig_addr(sh_hub_t *self);
 uintptr_t *sh_hub_get_orig_addr_addr(sh_hub_t *self);
 
-int sh_hub_add_proxy(sh_hub_t *self, uintptr_t func);
-int sh_hub_del_proxy(sh_hub_t *self, uintptr_t func, bool *have_enabled_proxy);
+int sh_hub_add_proxy(sh_hub_t *self, uintptr_t proxy_func);
+int sh_hub_del_proxy(sh_hub_t *self, uintptr_t proxy_func, bool *have_enabled_proxy);
 
 void *sh_hub_get_prev_func(void *func);
 void sh_hub_pop_stack(void *return_address);
diff --git a/shadowhook/src/main/cpp/sh_linker.c b/shadowhook/src/main/cpp/sh_linker.c
index 23d1f54..3ea0e74 100644
--- a/shadowhook/src/main/cpp/sh_linker.c
+++ b/shadowhook/src/main/cpp/sh_linker.c
@@ -27,8 +27,10 @@
 #include <pthread.h>
 #include <stddef.h>
 #include <stdint.h>
+#include <stdlib.h>
 #include <string.h>
 
+#include "queue.h"
 #include "sh_log.h"
 #include "sh_recorder.h"
 #include "sh_sig.h"
@@ -38,44 +40,98 @@
 #include "xdl.h"
 
 #ifndef __LP64__
-#define SH_LINKER_BASENAME "linker"
+#define SH_LINKER_BASENAME           "linker"
+#define SH_LINKER_SIZEOF_DLINFO      32
+#define SH_LINKER_HOOK_WITH_DL_MUTEX 1
 #else
-#define SH_LINKER_BASENAME "linker64"
+#define SH_LINKER_BASENAME           "linker64"
+#define SH_LINKER_SIZEOF_DLINFO      16
+#define SH_LINKER_HOOK_WITH_DL_MUTEX 0
 #endif
 
+// for struct soinfo's memory scan
+#define SH_LINKER_NOTHING_SO_NAME "libshadowhook_nothing.so"
+static size_t sh_linker_soinfo_offset_load_bias = SIZE_MAX;
+static size_t sh_linker_soinfo_offset_name = SIZE_MAX;
+static size_t sh_linker_soinfo_offset_phdr = SIZE_MAX;
+static size_t sh_linker_soinfo_offset_phnum = SIZE_MAX;
+static size_t sh_linker_soinfo_offset_constructors_called = SIZE_MAX;
+static pid_t sh_linker_soinfo_offset_scan_tid = 0;
+static bool sh_linker_soinfo_offset_scan_ok = false;
+
+// >= Android 5.0. hook soinfo::call_constructors() and soinfo::call_destructors()
+#define SH_LINKER_SYM_CALL_CONSTRUCTORS_L "__dl__ZN6soinfo16CallConstructorsEv"
+#define SH_LINKER_SYM_CALL_DESTRUCTORS_L  "__dl__ZN6soinfo15CallDestructorsEv"
+#define SH_LINKER_SYM_CALL_CONSTRUCTORS_M "__dl__ZN6soinfo17call_constructorsEv"
+#define SH_LINKER_SYM_CALL_DESTRUCTORS_M  "__dl__ZN6soinfo16call_destructorsEv"
+#if SH_LINKER_HOOK_WITH_DL_MUTEX
 #define SH_LINKER_SYM_G_DL_MUTEX        "__dl__ZL10g_dl_mutex"
 #define SH_LINKER_SYM_G_DL_MUTEX_U_QPR2 "__dl_g_dl_mutex"
-#define SH_LINKER_SYM_DO_DLOPEN_L       "__dl__Z9do_dlopenPKciPK17android_dlextinfo"
-#define SH_LINKER_SYM_DO_DLOPEN_N       "__dl__Z9do_dlopenPKciPK17android_dlextinfoPv"
-#define SH_LINKER_SYM_DO_DLOPEN_O       "__dl__Z9do_dlopenPKciPK17android_dlextinfoPKv"
-
-static bool sh_linker_dlopen_hooked = false;
-
-static sh_linker_post_dlopen_t sh_linker_post_dlopen;
-static void *sh_linker_post_dlopen_arg;
-
-static pthread_mutex_t *sh_linker_g_dl_mutex;
-static uintptr_t sh_linker_dlopen_addr;  // save address of dlopen(==4.x) or do_dlopen(>=5.0)
-static xdl_info_t sh_linker_dlopen_dlinfo;
+#endif
 
-#if defined(__arm__) && __ANDROID_API__ < __ANDROID_API_L__
+// >= Android 5.0. soinfo::call_constructors() and soinfo::call_destructors() callbacks
+typedef struct sh_linker_dl_info_cb {
+  shadowhook_dl_info_t pre;
+  shadowhook_dl_info_t post;
+  void *data;
+  TAILQ_ENTRY(sh_linker_dl_info_cb, ) link;
+} sh_linker_dl_info_cb_t;
+typedef TAILQ_HEAD(sh_linker_dl_info_cb_queue, sh_linker_dl_info_cb, ) sh_linker_dl_info_cb_queue_t;
+static sh_linker_dl_info_cb_queue_t sh_linker_dl_init_cbs = TAILQ_HEAD_INITIALIZER(sh_linker_dl_init_cbs);
+static pthread_rwlock_t sh_linker_dl_init_cbs_lock = PTHREAD_RWLOCK_INITIALIZER;
+static sh_linker_dl_info_cb_queue_t sh_linker_dl_fini_cbs = TAILQ_HEAD_INITIALIZER(sh_linker_dl_fini_cbs);
+static pthread_rwlock_t sh_linker_dl_fini_cbs_lock = PTHREAD_RWLOCK_INITIALIZER;
+
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+
+// == Android 4.x. for dlopen() interceptor and post-callback
+static bool sh_linker_dlopen_hook_tried = false;
+static sh_linker_dlopen_post_t sh_linker_dlopen_post;
+
+// == Android 4.x
 static uintptr_t sh_linker_dlfcn[6];
 static const char *sh_linker_dlfcn_name[6] = {"dlopen", "dlerror", "dlsym",
                                               "dladdr", "dlclose", "dl_unwind_find_exidx"};
+__attribute__((constructor)) static void sh_linker_ctor(void) {
+  // Android 4.x linker does not export these symbols. We save the addresses of these
+  // functions in the .init_array to reduce the probability of being PLT-hooked.
+  // The purpose of the negation operation(~) is to avoid being optimized by the compiler.
+  sh_linker_dlfcn[0] = ~(uintptr_t)dlopen;
+  sh_linker_dlfcn[1] = ~(uintptr_t)dlerror;
+  sh_linker_dlfcn[2] = ~(uintptr_t)dlsym;
+  sh_linker_dlfcn[3] = ~(uintptr_t)dladdr;
+  sh_linker_dlfcn[4] = ~(uintptr_t)dlclose;
+  sh_linker_dlfcn[5] = ~(uintptr_t)dl_unwind_find_exidx;
+}
+
 #endif
 
-__attribute__((constructor)) static void sh_linker_ctor(void) {
-  sh_linker_dlopen_addr = (uintptr_t)dlopen;
-#if defined(__arm__) && __ANDROID_API__ < __ANDROID_API_L__
-  sh_linker_dlfcn[0] = (uintptr_t)dlopen;
-  sh_linker_dlfcn[1] = (uintptr_t)dlerror;
-  sh_linker_dlfcn[2] = (uintptr_t)dlsym;
-  sh_linker_dlfcn[3] = (uintptr_t)dladdr;
-  sh_linker_dlfcn[4] = (uintptr_t)dlclose;
-  sh_linker_dlfcn[5] = (uintptr_t)dl_unwind_find_exidx;
+static const char *sh_linker_match_dlfcn(uintptr_t target_addr) {
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+  if (__predict_false(sh_util_get_api_level() < __ANDROID_API_L__))
+    for (size_t i = 0; i < sizeof(sh_linker_dlfcn) / sizeof(sh_linker_dlfcn[0]); i++)
+      if (~sh_linker_dlfcn[i] == target_addr) return sh_linker_dlfcn_name[i];
+#else
+  (void)target_addr;
 #endif
+
+  return NULL;
 }
 
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+bool sh_linker_need_to_pre_register(uintptr_t target_addr) {
+  if (SHADOWHOOK_IS_SHARED_MODE) return false;
+
+  if (__predict_false(sh_util_get_api_level() < __ANDROID_API_L__)) {
+    if (sh_linker_dlopen_hook_tried) return false;
+    if (target_addr == ~sh_linker_dlfcn[0]) return true;
+    return false;
+  } else {
+    return false;
+  }
+}
+#endif
+
 static void *sh_linker_get_base_addr(xdl_info_t *dlinfo) {
   uintptr_t vaddr_min = UINTPTR_MAX;
   for (size_t i = 0; i < dlinfo->dlpi_phnum; i++) {
@@ -107,188 +163,559 @@ static bool sh_linker_check_arch(xdl_info_t *dlinfo) {
   return true;
 }
 
-int sh_linker_init(void) {
-  memset(&sh_linker_dlopen_dlinfo, 0, sizeof(sh_linker_dlopen_dlinfo));
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
 
-  int api_level = sh_util_get_api_level();
-  if (__predict_true(api_level >= __ANDROID_API_L__)) {
-    sh_linker_dlopen_addr = 0;
+typedef void *(*sh_linker_proxy_dlopen_t)(const char *, int);
+static sh_linker_proxy_dlopen_t sh_linker_orig_dlopen;
+static void *sh_linker_proxy_dlopen(const char *filename, int flag) {
+  void *handle;
+  if (SHADOWHOOK_IS_SHARED_MODE)
+    handle = SHADOWHOOK_CALL_PREV(sh_linker_proxy_dlopen, sh_linker_proxy_dlopen_t, filename, flag);
+  else
+    handle = sh_linker_orig_dlopen(filename, flag);
 
-    void *handle = xdl_open(SH_LINKER_BASENAME, XDL_DEFAULT);
-    if (__predict_false(NULL == handle)) return -1;
-    xdl_info(handle, XDL_DI_DLINFO, (void *)&sh_linker_dlopen_dlinfo);
-    sh_linker_dlopen_dlinfo.dli_fname = SH_LINKER_BASENAME;
+  if (__predict_true(NULL != handle)) sh_linker_dlopen_post();
 
-    // get g_dl_mutex
-    if (api_level > __ANDROID_API_U__) {
-      sh_linker_g_dl_mutex = (pthread_mutex_t *)(xdl_dsym(handle, SH_LINKER_SYM_G_DL_MUTEX_U_QPR2, NULL));
-    } else {
-      sh_linker_g_dl_mutex = (pthread_mutex_t *)(xdl_dsym(handle, SH_LINKER_SYM_G_DL_MUTEX, NULL));
-      if (NULL == sh_linker_g_dl_mutex && api_level == __ANDROID_API_U__)
-        sh_linker_g_dl_mutex = (pthread_mutex_t *)(xdl_dsym(handle, SH_LINKER_SYM_G_DL_MUTEX_U_QPR2, NULL));
+  SHADOWHOOK_POP_STACK();
+  return handle;
+}
+
+int sh_linker_register_dlopen_post_callback(sh_linker_dlopen_post_t post) {
+  static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
+  static int result = SHADOWHOOK_ERRNO_MONITOR_DLOPEN;
+
+  if (sh_linker_dlopen_hook_tried) return result;
+  pthread_mutex_lock(&lock);
+  if (sh_linker_dlopen_hook_tried) goto end;
+
+  sh_linker_dlopen_hook_tried = true;  // only once
+  sh_linker_dlopen_post = post;
+
+  // get dlinfo
+  void *handle = xdl_open(SH_LINKER_BASENAME, XDL_DEFAULT);
+  if (__predict_false(NULL == handle)) goto end;
+  xdl_info_t dlinfo;
+  xdl_info(handle, XDL_DI_DLINFO, &dlinfo);
+  xdl_close(handle);
+  dlinfo.dli_fname = SH_LINKER_BASENAME;
+  dlinfo.dli_sname = sh_linker_dlfcn_name[0];
+  dlinfo.dli_saddr = (void *)~sh_linker_dlfcn[0];
+  dlinfo.dli_ssize = 4;
+
+  // check arch
+  if (!sh_linker_check_arch(&dlinfo)) {
+    result = SHADOWHOOK_ERRNO_LINKER_ARCH_MISMATCH;
+    goto end;
+  }
+
+  // do hook
+  int (*hook)(uintptr_t, uintptr_t, uintptr_t *, size_t *, xdl_info_t *) =
+      SHADOWHOOK_IS_SHARED_MODE ? sh_switch_hook : sh_switch_hook_invisible;
+  size_t backup_len = 0;
+  int r = hook((uintptr_t)dlinfo.dli_saddr, (uintptr_t)sh_linker_proxy_dlopen,
+               (uintptr_t *)&sh_linker_orig_dlopen, &backup_len, &dlinfo);
+
+  // do record
+  sh_recorder_add_hook(r, true, (uintptr_t)dlinfo.dli_saddr, SH_LINKER_BASENAME, dlinfo.dli_sname,
+                       (uintptr_t)sh_linker_proxy_dlopen, backup_len, UINTPTR_MAX,
+                       (uintptr_t)(__builtin_return_address(0)));
+  if (0 != r) goto end;
+
+  // OK
+  result = 0;
+
+end:
+  pthread_mutex_unlock(&lock);
+  SH_LOG_INFO("linker: hook dlopen %s, return: %d", 0 == result ? "OK" : "FAILED", result);
+  return result;
+}
+#endif
+
+// struct soinfo {
+//  // ......
+//  const ElfW(Phdr)* phdr;
+//  size_t phnum;
+//  // ......
+//  // from: link_map link_map_head;
+//  ElfW(Addr) l_addr;
+//  char* l_name;
+//  ElfW(Dyn)* l_ld;
+//  struct link_map* l_next;
+//  struct link_map* l_prev;
+//
+//  bool constructors_called;
+//  ElfW(Addr) load_bias;
+//  // ......
+//};
+static int sh_linker_soinfo_memory_scan_pre(void *soinfo) {
+  void *handle = xdl_open(SH_LINKER_NOTHING_SO_NAME, XDL_DEFAULT);
+  if (NULL == handle) {
+    SH_LOG_ERROR("linker: memory_scan_pre, NULL == handle");
+    return -1;
+  }
+
+  xdl_info_t dlinfo;
+  xdl_info(handle, XDL_DI_DLINFO, (void *)&dlinfo);
+
+  uintptr_t l_ld = UINTPTR_MAX;
+  for (size_t i = 0; i < dlinfo.dlpi_phnum; i++) {
+    if (dlinfo.dlpi_phdr[i].p_type == PT_DYNAMIC) {
+      l_ld = (uintptr_t)dlinfo.dli_fbase + dlinfo.dlpi_phdr[i].p_vaddr;
+      break;
     }
+  }
+  if (UINTPTR_MAX == l_ld) {
+    SH_LOG_ERROR("linker: memory_scan_pre, UINTPTR_MAX == l_ld");
+    goto end;
+  }
+
+  //  SH_LOG_INFO("linker scan: %"PRIxPTR", %"PRIxPTR", %"PRIxPTR", %zu, %s", (uintptr_t)dlinfo.dli_fbase,
+  //              l_ld, (uintptr_t)dlinfo.dlpi_phdr, dlinfo.dlpi_phnum, dlinfo.dli_fname);
+  //  for (size_t i = 0; i < sizeof(uintptr_t) * 96; i += sizeof(uintptr_t))
+  //    SH_LOG_INFO("linker scan: %zu - %"PRIxPTR, i, *((uintptr_t *)((uintptr_t)soinfo + i)));
+
+  for (size_t i = 0; i < sizeof(uintptr_t) * 96; i += sizeof(uintptr_t)) {
+    if (sh_linker_soinfo_offset_phdr != SIZE_MAX && sh_linker_soinfo_offset_load_bias != SIZE_MAX)
+      break;  // finished
+
+    uintptr_t val_0;
+    uintptr_t val_1;
+    uintptr_t val_2;
+    uintptr_t val_3;
+    uintptr_t val_4;
+    uintptr_t val_5;
+    uintptr_t val_6;
+    SH_SIG_TRY(SIGSEGV, SIGBUS) {
+      val_0 = *((uintptr_t *)((uintptr_t)soinfo + i));
+      val_1 = *((uintptr_t *)((uintptr_t)soinfo + i + sizeof(uintptr_t)));
+      val_2 = *((uintptr_t *)((uintptr_t)soinfo + i + sizeof(uintptr_t) * 2));
+      val_3 = *((uintptr_t *)((uintptr_t)soinfo + i + sizeof(uintptr_t) * 3));
+      val_4 = *((uintptr_t *)((uintptr_t)soinfo + i + sizeof(uintptr_t) * 4));
+      val_5 = *((uintptr_t *)((uintptr_t)soinfo + i + sizeof(uintptr_t) * 5));
+      val_6 = *((uintptr_t *)((uintptr_t)soinfo + i + sizeof(uintptr_t) * 6));
+    }
+    SH_SIG_CATCH() {
+      SH_LOG_ERROR("linker: memory_scan_pre, read val_0...val_6 crashed");
+      goto end;
+    }
+    SH_SIG_EXIT
 
-    // get do_dlopen
-    if (api_level >= __ANDROID_API_O__)
-      sh_linker_dlopen_dlinfo.dli_sname = SH_LINKER_SYM_DO_DLOPEN_O;
-    else if (api_level >= __ANDROID_API_N__)
-      sh_linker_dlopen_dlinfo.dli_sname = SH_LINKER_SYM_DO_DLOPEN_N;
-    else
-      sh_linker_dlopen_dlinfo.dli_sname = SH_LINKER_SYM_DO_DLOPEN_L;
-    sh_linker_dlopen_dlinfo.dli_saddr =
-        xdl_dsym(handle, sh_linker_dlopen_dlinfo.dli_sname, &(sh_linker_dlopen_dlinfo.dli_ssize));
-    sh_linker_dlopen_addr = (uintptr_t)sh_linker_dlopen_dlinfo.dli_saddr;
+    if (sh_linker_soinfo_offset_phdr == SIZE_MAX && val_0 == (uintptr_t)dlinfo.dlpi_phdr &&
+        val_1 == (uintptr_t)dlinfo.dlpi_phnum) {
+      sh_linker_soinfo_offset_phdr = i;
+      sh_linker_soinfo_offset_phnum = i + sizeof(uintptr_t);
+      i += sizeof(uintptr_t);
+      continue;
+    }
 
-    xdl_close(handle);
+    if (sh_linker_soinfo_offset_load_bias == SIZE_MAX && val_0 == (uintptr_t)dlinfo.dli_fbase &&
+        val_2 == l_ld && val_5 == 0 && val_6 == val_0) {
+      bool l_name_matched = false;
+      SH_SIG_TRY(SIGSEGV, SIGBUS) {
+        l_name_matched = sh_util_ends_with((const char *)val_1, SH_LINKER_NOTHING_SO_NAME);
+      }
+      SH_SIG_CATCH() {
+        l_name_matched = false;
+      }
+      SH_SIG_EXIT
+
+      if (l_name_matched) {
+        sh_linker_soinfo_offset_load_bias = i;
+        sh_linker_soinfo_offset_name = i + sizeof(uintptr_t);
+        sh_linker_soinfo_offset_constructors_called = i + sizeof(uintptr_t) * 5;
+        i += sizeof(uintptr_t) * 6;
+        continue;
+      }
+    }
+
+    if (val_0 != (uintptr_t)dlinfo.dlpi_phdr && val_0 != (uintptr_t)dlinfo.dli_fbase &&
+        val_1 != (uintptr_t)dlinfo.dlpi_phdr && val_1 != (uintptr_t)dlinfo.dli_fbase &&
+        val_2 != (uintptr_t)dlinfo.dlpi_phdr && val_2 != (uintptr_t)dlinfo.dli_fbase &&
+        val_3 != (uintptr_t)dlinfo.dlpi_phdr && val_3 != (uintptr_t)dlinfo.dli_fbase &&
+        val_4 != (uintptr_t)dlinfo.dlpi_phdr && val_4 != (uintptr_t)dlinfo.dli_fbase &&
+        val_5 != (uintptr_t)dlinfo.dlpi_phdr && val_5 != (uintptr_t)dlinfo.dli_fbase &&
+        val_6 != (uintptr_t)dlinfo.dlpi_phdr && val_6 != (uintptr_t)dlinfo.dli_fbase) {
+      // try to avoid reading data repeatedly, to reduce the number of calls to "bytesig try-catch"
+      i += sizeof(uintptr_t) * 6;
+    }
   }
 
-  return (0 != sh_linker_dlopen_addr && (NULL != sh_linker_g_dl_mutex || api_level < __ANDROID_API_L__)) ? 0
-                                                                                                         : -1;
+end:
+  if (NULL != handle) xdl_close(handle);
+  if (sh_linker_soinfo_offset_load_bias == SIZE_MAX || sh_linker_soinfo_offset_name == SIZE_MAX ||
+      sh_linker_soinfo_offset_phdr == SIZE_MAX || sh_linker_soinfo_offset_phnum == SIZE_MAX ||
+      sh_linker_soinfo_offset_constructors_called == SIZE_MAX) {
+    SH_LOG_ERROR("linker: memory_scan_pre, check offsets FAILED, %zu, %zu, %zu, %zu, %zu",
+                 sh_linker_soinfo_offset_load_bias, sh_linker_soinfo_offset_name,
+                 sh_linker_soinfo_offset_phdr, sh_linker_soinfo_offset_phnum,
+                 sh_linker_soinfo_offset_constructors_called);
+    return -1;
+  }
+
+  SH_LOG_INFO("linker: soinfo memory scan pre OK. load_bias %zu, name %zu, phdr %zu, phnum %zu, called %zu",
+              sh_linker_soinfo_offset_load_bias, sh_linker_soinfo_offset_name, sh_linker_soinfo_offset_phdr,
+              sh_linker_soinfo_offset_phnum, sh_linker_soinfo_offset_constructors_called);
+  return 0;
 }
 
-const char *sh_linker_match_dlfcn(uintptr_t target_addr) {
-#if defined(__arm__) && __ANDROID_API__ < __ANDROID_API_L__
-  if (sh_util_get_api_level() < __ANDROID_API_L__)
-    for (size_t i = 0; i < sizeof(sh_linker_dlfcn) / sizeof(sh_linker_dlfcn[0]); i++)
-      if (sh_linker_dlfcn[i] == target_addr) return sh_linker_dlfcn_name[i];
-#else
-  (void)target_addr;
-#endif
+static void sh_linker_soinfo_memory_scan_post(void *soinfo) {
+  uintptr_t val = *((uintptr_t *)((uintptr_t)soinfo + sh_linker_soinfo_offset_constructors_called));
+  if (val != 0) {
+    __atomic_store_n(&sh_linker_soinfo_offset_scan_ok, true, __ATOMIC_RELEASE);
+    SH_LOG_INFO("linker: soinfo memory scan post OK");
+  } else {
+    SH_LOG_ERROR("linker: memory_scan_post, check val != 0 FAILED");
+  }
+}
 
-  return NULL;
+static void sh_linker_soinfo_to_dlinfo(void *soinfo, struct dl_phdr_info *dlinfo) {
+  dlinfo->dlpi_addr = *((ElfW(Addr) *)((uintptr_t)soinfo + sh_linker_soinfo_offset_load_bias));
+  dlinfo->dlpi_name = *((const char **)((uintptr_t)soinfo + sh_linker_soinfo_offset_name));
+  dlinfo->dlpi_phdr = *((const ElfW(Phdr) **)((uintptr_t)soinfo + sh_linker_soinfo_offset_phdr));
+  dlinfo->dlpi_phnum = (ElfW(Half))(*((size_t *)((uintptr_t)soinfo + sh_linker_soinfo_offset_phnum)));
 }
 
-bool sh_linker_need_to_hook_dlopen(uintptr_t target_addr) {
-  return SHADOWHOOK_IS_UNIQUE_MODE && !sh_linker_dlopen_hooked && target_addr == sh_linker_dlopen_addr;
+static bool sh_linker_soinfo_is_loading(void *soinfo) {
+  return *((int *)((uintptr_t)soinfo + sh_linker_soinfo_offset_constructors_called)) == 0;
 }
 
-typedef void *(*sh_linker_proxy_dlopen_t)(const char *, int);
-static sh_linker_proxy_dlopen_t sh_linker_orig_dlopen;
-static void *sh_linker_proxy_dlopen(const char *filename, int flag) {
-  void *handle;
+typedef void (*sh_linker_proxy_soinfo_call_ctors_t)(void *);
+static sh_linker_proxy_soinfo_call_ctors_t sh_linker_orig_soinfo_call_ctors;
+static void sh_linker_proxy_soinfo_call_ctors(void *soinfo) {
+  sh_linker_dl_info_cb_t *cb;
+  struct dl_phdr_info dlinfo;
+  bool do_callbacks = false;
+  bool do_memory_scan_pre_ok = false;
+  pid_t scan_tid = __atomic_load_n(&sh_linker_soinfo_offset_scan_tid, __ATOMIC_ACQUIRE);
+
+  if (__predict_true(0 == scan_tid)) {
+    if (__predict_true(__atomic_load_n(&sh_linker_soinfo_offset_scan_ok, __ATOMIC_RELAXED))) {
+      if (sh_linker_soinfo_is_loading(soinfo) && !TAILQ_EMPTY(&sh_linker_dl_init_cbs)) {
+        // do pre-callbacks
+        do_callbacks = true;
+        sh_linker_soinfo_to_dlinfo(soinfo, &dlinfo);
+
+        SH_LOG_INFO("linker: call_ctors pre, load_bias %" PRIxPTR ", name %s", (uintptr_t)dlinfo.dlpi_addr,
+                    dlinfo.dlpi_name);
+        pthread_rwlock_rdlock(&sh_linker_dl_init_cbs_lock);
+        TAILQ_FOREACH(cb, &sh_linker_dl_init_cbs, link) {
+          if (NULL != cb->pre) cb->pre(&dlinfo, SH_LINKER_SIZEOF_DLINFO, cb->data);
+        }
+        pthread_rwlock_unlock(&sh_linker_dl_init_cbs_lock);
+      }
+    }
+  } else {
+    if (__predict_true(gettid() == scan_tid)) {
+      // do pre-memory-scan
+      if (0 == sh_linker_soinfo_memory_scan_pre(soinfo)) do_memory_scan_pre_ok = true;
+    }
+  }
+
   if (SHADOWHOOK_IS_SHARED_MODE)
-    handle = SHADOWHOOK_CALL_PREV(sh_linker_proxy_dlopen, sh_linker_proxy_dlopen_t, filename, flag);
+    SHADOWHOOK_CALL_PREV(sh_linker_proxy_soinfo_call_ctors, sh_linker_proxy_soinfo_call_ctors_t, soinfo);
   else
-    handle = sh_linker_orig_dlopen(filename, flag);
-
-  if (NULL != handle) sh_linker_post_dlopen(sh_linker_post_dlopen_arg);
+    sh_linker_orig_soinfo_call_ctors(soinfo);
+
+  if (do_callbacks) {
+    // do post-callbacks
+    SH_LOG_INFO("linker: call_ctors post, load_bias %" PRIxPTR ", name %s", (uintptr_t)dlinfo.dlpi_addr,
+                dlinfo.dlpi_name);
+    pthread_rwlock_rdlock(&sh_linker_dl_init_cbs_lock);
+    TAILQ_FOREACH(cb, &sh_linker_dl_init_cbs, link) {
+      if (NULL != cb->post) cb->post(&dlinfo, SH_LINKER_SIZEOF_DLINFO, cb->data);
+    }
+    pthread_rwlock_unlock(&sh_linker_dl_init_cbs_lock);
+  } else {
+    if (__predict_false(do_memory_scan_pre_ok)) {
+      // do post-memory-scan
+      sh_linker_soinfo_memory_scan_post(soinfo);
+    }
+  }
 
-  if (SHADOWHOOK_IS_SHARED_MODE) SHADOWHOOK_POP_STACK();
-  return handle;
+  SHADOWHOOK_POP_STACK();
 }
 
-typedef void *(*sh_linker_proxy_do_dlopen_l_t)(const char *, int, const void *);
-static sh_linker_proxy_do_dlopen_l_t sh_linker_orig_do_dlopen_l;
-static void *sh_linker_proxy_do_dlopen_l(const char *name, int flags, const void *extinfo) {
-  void *handle;
+typedef void (*sh_linker_proxy_soinfo_call_dtors_t)(void *);
+static sh_linker_proxy_soinfo_call_dtors_t sh_linker_orig_soinfo_call_dtors;
+static void sh_linker_proxy_soinfo_call_dtors(void *soinfo) {
+  sh_linker_dl_info_cb_t *cb;
+  struct dl_phdr_info dlinfo;
+  bool do_callbacks = false;
+
+  if (__predict_true(0 == __atomic_load_n(&sh_linker_soinfo_offset_scan_tid, __ATOMIC_ACQUIRE))) {
+    if (__predict_true(__atomic_load_n(&sh_linker_soinfo_offset_scan_ok, __ATOMIC_RELAXED))) {
+      if (!TAILQ_EMPTY(&sh_linker_dl_init_cbs)) {
+        sh_linker_soinfo_to_dlinfo(soinfo, &dlinfo);
+
+        // The following check is used to ignore: soinfo::call_destructors() call
+        // when the linker encounters an error while loading the ELF.
+        if (__predict_true(0 != dlinfo.dlpi_addr && NULL != dlinfo.dlpi_name &&
+                           !sh_linker_soinfo_is_loading(soinfo))) {
+          // do pre-callbacks
+          do_callbacks = true;
+
+          SH_LOG_INFO("linker: call_dtors pre, load_bias %" PRIxPTR ", name %s", (uintptr_t)dlinfo.dlpi_addr,
+                      dlinfo.dlpi_name);
+          pthread_rwlock_rdlock(&sh_linker_dl_fini_cbs_lock);
+          TAILQ_FOREACH(cb, &sh_linker_dl_fini_cbs, link) {
+            if (NULL != cb->pre) cb->pre(&dlinfo, SH_LINKER_SIZEOF_DLINFO, cb->data);
+          }
+          pthread_rwlock_unlock(&sh_linker_dl_fini_cbs_lock);
+        }
+      }
+    }
+  }
+
   if (SHADOWHOOK_IS_SHARED_MODE)
-    handle = SHADOWHOOK_CALL_PREV(sh_linker_proxy_do_dlopen_l, sh_linker_proxy_do_dlopen_l_t, name, flags,
-                                  extinfo);
+    SHADOWHOOK_CALL_PREV(sh_linker_proxy_soinfo_call_dtors, sh_linker_proxy_soinfo_call_dtors_t, soinfo);
   else
-    handle = sh_linker_orig_do_dlopen_l(name, flags, extinfo);
-
-  if (NULL != handle) sh_linker_post_dlopen(sh_linker_post_dlopen_arg);
+    sh_linker_orig_soinfo_call_dtors(soinfo);
+
+  if (do_callbacks) {
+    // do post-callbacks
+    SH_LOG_INFO("linker: call_dtors post, load_bias %" PRIxPTR ", name %s", (uintptr_t)dlinfo.dlpi_addr,
+                dlinfo.dlpi_name);
+    pthread_rwlock_rdlock(&sh_linker_dl_fini_cbs_lock);
+    TAILQ_FOREACH(cb, &sh_linker_dl_fini_cbs, link) {
+      if (NULL != cb->post) cb->post(&dlinfo, SH_LINKER_SIZEOF_DLINFO, cb->data);
+    }
+    pthread_rwlock_unlock(&sh_linker_dl_fini_cbs_lock);
+  }
 
-  if (SHADOWHOOK_IS_SHARED_MODE) SHADOWHOOK_POP_STACK();
-  return handle;
+  SHADOWHOOK_POP_STACK();
 }
 
-typedef void *(*sh_linker_proxy_do_dlopen_n_t)(const char *, int, const void *, void *);
-static sh_linker_proxy_do_dlopen_n_t sh_linker_orig_do_dlopen_n;
-static void *sh_linker_proxy_do_dlopen_n(const char *name, int flags, const void *extinfo,
-                                         void *caller_addr) {
-  void *handle;
-  if (SHADOWHOOK_IS_SHARED_MODE)
-    handle = SHADOWHOOK_CALL_PREV(sh_linker_proxy_do_dlopen_n, sh_linker_proxy_do_dlopen_n_t, name, flags,
-                                  extinfo, caller_addr);
-  else
-    handle = sh_linker_orig_do_dlopen_n(name, flags, extinfo, caller_addr);
+static int sh_linker_hook_call_ctors_dtors(xdl_info_t *call_constructors_dlinfo,
+                                           xdl_info_t *call_destructors_dlinfo, pthread_mutex_t *g_dl_mutex) {
+  int r = -1;
+  int r_hook_ctors = INT_MAX;
+  int r_hook_dtors = INT_MAX;
+  size_t backup_len_ctors = 0;
+  size_t backup_len_dtors = 0;
+  int (*hook)(uintptr_t, uintptr_t, uintptr_t *, size_t *, xdl_info_t *) =
+      SHADOWHOOK_IS_SHARED_MODE ? sh_switch_hook : sh_switch_hook_invisible;
 
-  if (NULL != handle) sh_linker_post_dlopen(sh_linker_post_dlopen_arg);
+#if !SH_LINKER_HOOK_WITH_DL_MUTEX
+  (void)g_dl_mutex;
+#endif
 
-  if (SHADOWHOOK_IS_SHARED_MODE) SHADOWHOOK_POP_STACK();
-  return handle;
-}
+#if SH_LINKER_HOOK_WITH_DL_MUTEX
+  pthread_mutex_lock(g_dl_mutex);
+#endif
 
-int sh_linker_hook_dlopen(sh_linker_post_dlopen_t post_dlopen, void *post_dlopen_arg) {
-  static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
-  static int result = SHADOWHOOK_ERRNO_MONITOR_DLOPEN;
+  // hook soinfo::call_constructors()
+  SH_LOG_INFO("linker: hook soinfo::call_constructors");
+  r_hook_ctors =
+      hook((uintptr_t)call_constructors_dlinfo->dli_saddr, (uintptr_t)sh_linker_proxy_soinfo_call_ctors,
+           (uintptr_t *)&sh_linker_orig_soinfo_call_ctors, &backup_len_ctors, call_constructors_dlinfo);
+  if (__predict_false(0 != r_hook_ctors)) {
+#if SH_LINKER_HOOK_WITH_DL_MUTEX
+    pthread_mutex_unlock(g_dl_mutex);
+#endif
+    goto end;
+  }
 
-  if (sh_linker_dlopen_hooked) return result;
-  pthread_mutex_lock(&lock);
-  if (sh_linker_dlopen_hooked) goto end;
+  // hook soinfo::call_destructors()
+  SH_LOG_INFO("linker: hook soinfo::call_destructors");
+  r_hook_dtors =
+      hook((uintptr_t)call_destructors_dlinfo->dli_saddr, (uintptr_t)sh_linker_proxy_soinfo_call_dtors,
+           (uintptr_t *)&sh_linker_orig_soinfo_call_dtors, &backup_len_dtors, call_destructors_dlinfo);
+  if (__predict_false(0 != r_hook_dtors)) {
+#if SH_LINKER_HOOK_WITH_DL_MUTEX
+    pthread_mutex_unlock(g_dl_mutex);
+#endif
+    goto end;
+  }
 
-  // try hooking-dlopen only once
-  sh_linker_dlopen_hooked = true;
+#if SH_LINKER_HOOK_WITH_DL_MUTEX
+  pthread_mutex_unlock(g_dl_mutex);
+#endif
 
-  // do init for SHARED mode
-  if (SHADOWHOOK_IS_SHARED_MODE)
-    if (0 != sh_linker_init()) goto end;
+  // do memory scan for struct soinfo
+  __atomic_store_n(&sh_linker_soinfo_offset_scan_tid, gettid(), __ATOMIC_RELEASE);
+  void *handle = dlopen(SH_LINKER_NOTHING_SO_NAME, RTLD_NOW);
+  if (__predict_true(NULL != handle)) dlclose(handle);
+  __atomic_store_n(&sh_linker_soinfo_offset_scan_tid, 0, __ATOMIC_RELEASE);
+  if (__predict_false(NULL == handle)) {
+    SH_LOG_ERROR("linker: dlopen nothing.so FAILED");
+    goto end;
+  }
+  if (__predict_false(!__atomic_load_n(&sh_linker_soinfo_offset_scan_ok, __ATOMIC_ACQUIRE))) {
+    SH_LOG_ERROR("linker: check soinfo_offset_scan_ok FAILED");
+    goto end;
+  }
 
-  // save post callback ptr before hooking
-  sh_linker_post_dlopen = post_dlopen;
-  sh_linker_post_dlopen_arg = post_dlopen_arg;
+  // OK
+  r = 0;
 
-  // hook for dlopen() or do_dlopen()
-  int (*hook)(uintptr_t, uintptr_t, uintptr_t *, size_t *, xdl_info_t *) =
-      SHADOWHOOK_IS_SHARED_MODE ? sh_switch_hook : sh_switch_hook_invisible;
-  int api_level = sh_util_get_api_level();
-  size_t backup_len = 0;
-  int r;
-  if (api_level < __ANDROID_API_L__) {
-    // get & check dlinfo
-    r = sh_linker_get_dlinfo_by_addr((void *)sh_linker_dlopen_addr, &sh_linker_dlopen_dlinfo, NULL, 0, NULL,
-                                     0, false);
-    if (SHADOWHOOK_ERRNO_LINKER_ARCH_MISMATCH == r) result = SHADOWHOOK_ERRNO_LINKER_ARCH_MISMATCH;
-    if (0 != r) goto end;
-
-    // hook
-    r = hook(sh_linker_dlopen_addr, (uintptr_t)sh_linker_proxy_dlopen, (uintptr_t *)&sh_linker_orig_dlopen,
-             &backup_len, &sh_linker_dlopen_dlinfo);
-
-    // record
-    sh_recorder_add_hook(r, true, sh_linker_dlopen_addr, SH_LINKER_BASENAME, "dlopen",
-                         (uintptr_t)sh_linker_proxy_dlopen, backup_len, UINTPTR_MAX,
+end:
+  // do records
+  if (INT_MAX != r_hook_ctors)
+    sh_recorder_add_hook(r_hook_ctors, true, (uintptr_t)call_constructors_dlinfo->dli_saddr,
+                         call_constructors_dlinfo->dli_fname, call_constructors_dlinfo->dli_sname,
+                         (uintptr_t)sh_linker_proxy_soinfo_call_ctors, backup_len_ctors, UINTPTR_MAX,
                          (uintptr_t)(__builtin_return_address(0)));
+  if (INT_MAX != r_hook_dtors)
+    sh_recorder_add_hook(r_hook_dtors, true, (uintptr_t)call_destructors_dlinfo->dli_saddr,
+                         call_destructors_dlinfo->dli_fname, call_destructors_dlinfo->dli_sname,
+                         (uintptr_t)sh_linker_proxy_soinfo_call_dtors, backup_len_dtors, UINTPTR_MAX,
+                         (uintptr_t)(__builtin_return_address(0)));
+
+  SH_LOG_INFO("linker: hook ctors and dtors %s", 0 == r ? "OK" : "FAILED");
+  return r;
+}
 
-    if (0 != r) goto end;
+static int sh_linker_get_symbol_info(xdl_info_t *call_constructors_dlinfo,
+                                     xdl_info_t *call_destructors_dlinfo, pthread_mutex_t **g_dl_mutex) {
+  int api_level = sh_util_get_api_level();
+
+  void *handle = xdl_open(SH_LINKER_BASENAME, XDL_DEFAULT);
+  if (__predict_false(NULL == handle)) return -1;
+  int r = -1;
+
+  // check arch
+  xdl_info_t linker_dlinfo;
+  xdl_info(handle, XDL_DI_DLINFO, &linker_dlinfo);
+  if (__predict_false(!sh_linker_check_arch(&linker_dlinfo))) goto end;
+
+  // get soinfo::call_constructors()
+  xdl_info_t *dlinfo = call_constructors_dlinfo;
+  xdl_info(handle, XDL_DI_DLINFO, dlinfo);
+  dlinfo->dli_fname = SH_LINKER_BASENAME;
+  dlinfo->dli_sname =
+      api_level >= __ANDROID_API_M__ ? SH_LINKER_SYM_CALL_CONSTRUCTORS_M : SH_LINKER_SYM_CALL_CONSTRUCTORS_L;
+  dlinfo->dli_saddr = xdl_dsym(handle, dlinfo->dli_sname, &(dlinfo->dli_ssize));
+  if (__predict_false(NULL == dlinfo->dli_saddr)) goto end;
+
+  // get soinfo::call_destructors()
+  dlinfo = call_destructors_dlinfo;
+  xdl_info(handle, XDL_DI_DLINFO, dlinfo);
+  dlinfo->dli_fname = SH_LINKER_BASENAME;
+  dlinfo->dli_sname =
+      api_level >= __ANDROID_API_M__ ? SH_LINKER_SYM_CALL_DESTRUCTORS_M : SH_LINKER_SYM_CALL_DESTRUCTORS_L;
+  dlinfo->dli_saddr = xdl_dsym(handle, dlinfo->dli_sname, &(dlinfo->dli_ssize));
+  if (__predict_false(NULL == dlinfo->dli_saddr)) goto end;
+
+#if SH_LINKER_HOOK_WITH_DL_MUTEX
+  // get g_dl_mutex
+  if (api_level > __ANDROID_API_U__) {
+    *g_dl_mutex = (pthread_mutex_t *)(xdl_dsym(handle, SH_LINKER_SYM_G_DL_MUTEX_U_QPR2, NULL));
+  } else if (api_level == __ANDROID_API_U__) {
+    *g_dl_mutex = (pthread_mutex_t *)(xdl_dsym(handle, SH_LINKER_SYM_G_DL_MUTEX, NULL));
+    if (NULL == *g_dl_mutex && api_level == __ANDROID_API_U__)
+      *g_dl_mutex = (pthread_mutex_t *)(xdl_dsym(handle, SH_LINKER_SYM_G_DL_MUTEX_U_QPR2, NULL));
   } else {
-    // check dlinfo
-    if (!sh_linker_check_arch(&sh_linker_dlopen_dlinfo)) {
-      result = SHADOWHOOK_ERRNO_LINKER_ARCH_MISMATCH;
-      goto end;
-    }
+    *g_dl_mutex = (pthread_mutex_t *)(xdl_dsym(handle, SH_LINKER_SYM_G_DL_MUTEX, NULL));
+  }
+  if (__predict_false(NULL == *g_dl_mutex)) goto end;
+#else
+  (void)g_dl_mutex;
+#endif
 
-    uintptr_t proxy;
-    uintptr_t *orig;
-    if (api_level >= __ANDROID_API_N__) {
-      proxy = (uintptr_t)sh_linker_proxy_do_dlopen_n;
-      orig = (uintptr_t *)&sh_linker_orig_do_dlopen_n;
-    } else {
-      proxy = (uintptr_t)sh_linker_proxy_do_dlopen_l;
-      orig = (uintptr_t *)&sh_linker_orig_do_dlopen_l;
+  // OK
+  r = 0;
+
+end:
+  xdl_close(handle);
+  return r;
+}
+
+int sh_linker_init(void) {
+  // only init for >= Android 5.0
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+  if (__predict_false(sh_util_get_api_level() < __ANDROID_API_L__)) return 0;
+#endif
+
+  // get linker's soinfo::call_constructors(), soinfo::call_destructors() and g_dl_mutex
+  xdl_info_t call_constructors_dlinfo, call_destructors_dlinfo;
+  pthread_mutex_t *g_dl_mutex;
+  if (0 != sh_linker_get_symbol_info(&call_constructors_dlinfo, &call_destructors_dlinfo, &g_dl_mutex))
+    return -1;
+
+  // hook soinfo::call_constructors() and soinfo::call_destructors()
+  return sh_linker_hook_call_ctors_dtors(&call_constructors_dlinfo, &call_destructors_dlinfo, g_dl_mutex);
+}
+
+int sh_linker_register_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data) {
+  sh_linker_dl_info_cb_t *cb_new = malloc(sizeof(sh_linker_dl_info_cb_t));
+  if (NULL == cb_new) return SHADOWHOOK_ERRNO_OOM;
+  cb_new->pre = pre;
+  cb_new->post = post;
+  cb_new->data = data;
+
+  sh_linker_dl_info_cb_t *cb = NULL;
+  pthread_rwlock_wrlock(&sh_linker_dl_init_cbs_lock);
+  TAILQ_FOREACH(cb, &sh_linker_dl_init_cbs, link) {
+    if (cb->pre == pre && cb->post == post && cb->data == data) break;
+  }
+  if (NULL == cb) {
+    TAILQ_INSERT_TAIL(&sh_linker_dl_init_cbs, cb_new, link);
+    cb_new = NULL;
+  }
+  pthread_rwlock_unlock(&sh_linker_dl_init_cbs_lock);
+
+  if (NULL != cb_new) {
+    free(cb_new);
+    return SHADOWHOOK_ERRNO_DUP;
+  }
+  return 0;
+}
+
+int sh_linker_unregister_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data) {
+  sh_linker_dl_info_cb_t *cb = NULL, *cb_tmp;
+  pthread_rwlock_wrlock(&sh_linker_dl_init_cbs_lock);
+  TAILQ_FOREACH_SAFE(cb, &sh_linker_dl_init_cbs, link, cb_tmp) {
+    if (cb->pre == pre && cb->post == post && cb->data == data) {
+      TAILQ_REMOVE(&sh_linker_dl_init_cbs, cb, link);
+      break;
     }
+  }
+  pthread_rwlock_unlock(&sh_linker_dl_init_cbs_lock);
 
-    // hook
-    pthread_mutex_lock(sh_linker_g_dl_mutex);
-    r = hook(sh_linker_dlopen_addr, proxy, orig, &backup_len, &sh_linker_dlopen_dlinfo);
-    pthread_mutex_unlock(sh_linker_g_dl_mutex);
+  if (NULL == cb) return SHADOWHOOK_ERRNO_NOT_FOUND;
+  free(cb);
+  return 0;
+}
 
-    // record
-    sh_recorder_add_hook(r, true, sh_linker_dlopen_addr, SH_LINKER_BASENAME,
-                         sh_linker_dlopen_dlinfo.dli_sname, proxy, backup_len, UINTPTR_MAX,
-                         (uintptr_t)(__builtin_return_address(0)));
+int sh_linker_register_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data) {
+  sh_linker_dl_info_cb_t *cb_new = malloc(sizeof(sh_linker_dl_info_cb_t));
+  if (NULL == cb_new) return SHADOWHOOK_ERRNO_OOM;
+  cb_new->pre = pre;
+  cb_new->post = post;
+  cb_new->data = data;
+
+  sh_linker_dl_info_cb_t *cb = NULL;
+  pthread_rwlock_wrlock(&sh_linker_dl_fini_cbs_lock);
+  TAILQ_FOREACH(cb, &sh_linker_dl_fini_cbs, link) {
+    if (cb->pre == pre && cb->post == post && cb->data == data) break;
+  }
+  if (NULL == cb) {
+    TAILQ_INSERT_TAIL(&sh_linker_dl_fini_cbs, cb_new, link);
+    cb_new = NULL;
+  }
+  pthread_rwlock_unlock(&sh_linker_dl_fini_cbs_lock);
 
-    if (0 != r) goto end;
+  if (NULL != cb_new) {
+    free(cb_new);
+    return SHADOWHOOK_ERRNO_DUP;
   }
+  return 0;
+}
 
-  // OK
-  result = 0;
+int sh_linker_unregister_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data) {
+  sh_linker_dl_info_cb_t *cb = NULL, *cb_tmp;
+  pthread_rwlock_wrlock(&sh_linker_dl_fini_cbs_lock);
+  TAILQ_FOREACH_SAFE(cb, &sh_linker_dl_fini_cbs, link, cb_tmp) {
+    if (cb->pre == pre && cb->post == post && cb->data == data) {
+      TAILQ_REMOVE(&sh_linker_dl_fini_cbs, cb, link);
+      break;
+    }
+  }
+  pthread_rwlock_unlock(&sh_linker_dl_fini_cbs_lock);
 
-end:
-  pthread_mutex_unlock(&lock);
-  SH_LOG_INFO("linker: hook dlopen %s, return: %d", 0 == result ? "OK" : "FAILED", result);
-  return result;
+  if (NULL == cb) return SHADOWHOOK_ERRNO_NOT_FOUND;
+  free(cb);
+  return 0;
 }
 
 int sh_linker_get_dlinfo_by_addr(void *addr, xdl_info_t *dlinfo, char *lib_name, size_t lib_name_sz,
@@ -308,10 +735,11 @@ int sh_linker_get_dlinfo_by_addr(void *addr, xdl_info_t *dlinfo, char *lib_name,
     }
     SH_SIG_EXIT
   }
-  SH_LOG_INFO("task: get dlinfo by target addr: target_addr %p, sym_name %s, sym_sz %zu, load_bias %" PRIxPTR
-              ", pathname %s",
-              addr, NULL == dlinfo->dli_sname ? "(NULL)" : dlinfo->dli_sname, dlinfo->dli_ssize,
-              (uintptr_t)dlinfo->dli_fbase, NULL == dlinfo->dli_fname ? "(NULL)" : dlinfo->dli_fname);
+  SH_LOG_INFO(
+      "linker: get dlinfo by target addr: target_addr %p, sym_name %s, sym_sz %zu, load_bias %" PRIxPTR
+      ", pathname %s",
+      addr, NULL == dlinfo->dli_sname ? "(NULL)" : dlinfo->dli_sname, dlinfo->dli_ssize,
+      (uintptr_t)dlinfo->dli_fbase, NULL == dlinfo->dli_fname ? "(NULL)" : dlinfo->dli_fname);
 
   // check error
   if (crashed) {
@@ -341,7 +769,7 @@ int sh_linker_get_dlinfo_by_addr(void *addr, xdl_info_t *dlinfo, char *lib_name,
         dlinfo->dli_saddr = addr;
         dlinfo->dli_sname = matched_dlfcn_name;
         dlinfo->dli_ssize = 4;  // safe length, only relative jumps are allowed
-        SH_LOG_INFO("task: match dlfcn, target_addr %p, sym_name %s", addr, matched_dlfcn_name);
+        SH_LOG_INFO("linker: match dlfcn, target_addr %p, sym_name %s", addr, matched_dlfcn_name);
       }
     }
   }
diff --git a/shadowhook/src/main/cpp/sh_linker.h b/shadowhook/src/main/cpp/sh_linker.h
index ab069ae..6c8745d 100644
--- a/shadowhook/src/main/cpp/sh_linker.h
+++ b/shadowhook/src/main/cpp/sh_linker.h
@@ -25,16 +25,26 @@
 #include <stdbool.h>
 #include <stdint.h>
 
+#include "sh_util.h"
+#include "shadowhook.h"
 #include "xdl.h"
 
 int sh_linker_init(void);
 
-const char *sh_linker_match_dlfcn(uintptr_t target_addr);
-bool sh_linker_need_to_hook_dlopen(uintptr_t target_addr);
+// for Android 4.x
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+bool sh_linker_need_to_pre_register(uintptr_t target_addr);
+typedef void (*sh_linker_dlopen_post_t)(void);
+int sh_linker_register_dlopen_post_callback(sh_linker_dlopen_post_t post);
+#endif
 
-typedef void (*sh_linker_post_dlopen_t)(void *arg);
-int sh_linker_hook_dlopen(sh_linker_post_dlopen_t post_dlopen, void *post_dlopen_arg);
+// for Android >= 5.0
+int sh_linker_register_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int sh_linker_unregister_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int sh_linker_register_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
+int sh_linker_unregister_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data);
 
+// linker utils
 int sh_linker_get_dlinfo_by_addr(void *addr, xdl_info_t *dlinfo, char *lib_name, size_t lib_name_sz,
                                  char *sym_name, size_t sym_name_sz, bool ignore_symbol_check);
 int sh_linker_get_dlinfo_by_sym_name(const char *lib_name, const char *sym_name, xdl_info_t *dlinfo,
diff --git a/shadowhook/src/main/cpp/sh_safe.c b/shadowhook/src/main/cpp/sh_safe.c
index ec3fc1a..7fce4d2 100644
--- a/shadowhook/src/main/cpp/sh_safe.c
+++ b/shadowhook/src/main/cpp/sh_safe.c
@@ -61,6 +61,7 @@ static int sh_safe_init_func(void *handle, const char *symbol, size_t idx) {
 int sh_safe_init(void) {
   sh_safe_api_level = sh_util_get_api_level();
 
+  // You can also use dlopen(), but dlopen() is more likely to have been hooked.
   void *handle = xdl_open("libc.so", XDL_DEFAULT);
   if (NULL == handle) return -1;
 
@@ -88,7 +89,8 @@ uintptr_t *sh_safe_get_orig_addr_addr(uintptr_t target_addr) {
 
 static uintptr_t sh_safe_get_orig_addr(size_t idx) {
   sh_safe_addr_t *addr = &sh_safe_addrs[idx];
-  return 0 != addr->orig_addr ? addr->orig_addr : addr->target_addr;
+  uintptr_t orig_addr = __atomic_load_n(&addr->orig_addr, __ATOMIC_ACQUIRE);
+  return 0 != orig_addr ? orig_addr : addr->target_addr;
 }
 
 void *sh_safe_pthread_getspecific(pthread_key_t key) {
@@ -127,6 +129,10 @@ void *sh_safe_mmap(void *addr, size_t length, int prot, int flags, int fd, off_t
   return sys_mmap(addr, length, prot, flags, fd, offset);
 }
 
+int sh_safe_munmap(void *addr, size_t size) {
+  return sys_munmap(addr, size);
+}
+
 int sh_safe_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4,
                   unsigned long arg5) {
   return sys_prctl(option, arg2, arg3, arg4, arg5);
diff --git a/shadowhook/src/main/cpp/sh_safe.h b/shadowhook/src/main/cpp/sh_safe.h
index 0442257..02a3570 100644
--- a/shadowhook/src/main/cpp/sh_safe.h
+++ b/shadowhook/src/main/cpp/sh_safe.h
@@ -34,4 +34,5 @@ int sh_safe_pthread_setspecific(pthread_key_t key, const void *value);
 void sh_safe_abort(void);
 
 void *sh_safe_mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset);
+int sh_safe_munmap(void *addr, size_t size);
 int sh_safe_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5);
diff --git a/shadowhook/src/main/cpp/sh_switch.c b/shadowhook/src/main/cpp/sh_switch.c
index e068f99..89e22d4 100644
--- a/shadowhook/src/main/cpp/sh_switch.c
+++ b/shadowhook/src/main/cpp/sh_switch.c
@@ -91,7 +91,7 @@ static int sh_switch_create(sh_switch_t **self, uintptr_t target_addr, uintptr_t
   (*self)->hub = NULL;
 
   if (NULL != hub_trampo) {
-    if (NULL == ((*self)->hub = sh_hub_create(target_addr, hub_trampo))) {
+    if (NULL == ((*self)->hub = sh_hub_create(hub_trampo))) {
       free(*self);
       return SHADOWHOOK_ERRNO_HUB_CREAT;
     }
@@ -142,7 +142,12 @@ static int sh_switch_hook_unique(uintptr_t target_addr, uintptr_t new_addr, uint
   }
 
   // do hook
-  if (0 != (r = sh_inst_hook(&self->inst, target_addr, dlinfo, new_addr, orig_addr, NULL))) {
+  uintptr_t *safe_orig_addr_addr = sh_safe_get_orig_addr_addr(target_addr);
+  uintptr_t *orig_addr2 =
+      (NULL != safe_orig_addr_addr && 0 == __atomic_load_n(safe_orig_addr_addr, __ATOMIC_ACQUIRE))
+          ? safe_orig_addr_addr
+          : NULL;
+  if (0 != (r = sh_inst_hook(&self->inst, target_addr, dlinfo, new_addr, orig_addr, orig_addr2))) {
     RB_REMOVE(sh_switch_tree, &sh_switches, self);
     useless = self;
     goto end;
@@ -279,7 +284,12 @@ static int sh_switch_unhook_unique(uintptr_t target_addr) {
     r = SHADOWHOOK_ERRNO_UNHOOK_NOTFOUND;
     goto end;
   }
+
   r = sh_inst_unhook(&self->inst, target_addr);
+
+  uintptr_t *safe_orig_addr_addr = sh_safe_get_orig_addr_addr(target_addr);
+  if (NULL != safe_orig_addr_addr) __atomic_store_n(safe_orig_addr_addr, 0, __ATOMIC_RELEASE);
+
   RB_REMOVE(sh_switch_tree, &sh_switches, self);
   useless = self;
 
@@ -315,7 +325,7 @@ static int sh_switch_unhook_shared(uintptr_t target_addr, uintptr_t new_addr) {
     r = sh_inst_unhook(&self->inst, target_addr);
 
     uintptr_t *safe_orig_addr_addr = sh_safe_get_orig_addr_addr(target_addr);
-    if (NULL != safe_orig_addr_addr) __atomic_store_n(safe_orig_addr_addr, 0, __ATOMIC_SEQ_CST);
+    if (NULL != safe_orig_addr_addr) __atomic_store_n(safe_orig_addr_addr, 0, __ATOMIC_RELEASE);
 
     RB_REMOVE(sh_switch_tree, &sh_switches, self);
     useless = self;
@@ -331,13 +341,29 @@ int sh_switch_unhook(uintptr_t target_addr, uintptr_t new_addr) {
   int r;
   if (SHADOWHOOK_IS_UNIQUE_MODE) {
     r = sh_switch_unhook_unique(target_addr);
-    if (0 == r) SH_LOG_INFO("switch: unhook in UNIQUE mode OK: target_addr %" PRIxPTR, target_addr);
   } else {
     r = sh_switch_unhook_shared(target_addr, new_addr);
-    if (0 == r)
-      SH_LOG_INFO("switch: unhook in SHARED mode OK: target_addr %" PRIxPTR ", new_addr %" PRIxPTR,
-                  target_addr, new_addr);
   }
 
+  if (0 == r)
+    SH_LOG_INFO("switch: unhook in %s mode OK: target_addr %" PRIxPTR ", new_addr %" PRIxPTR,
+                SHADOWHOOK_IS_UNIQUE_MODE ? "UNIQUE" : "SHARED", target_addr, new_addr);
+
   return r;
 }
+
+void sh_switch_free_after_dlclose(xdl_info_t *dlinfo) {
+  pthread_rwlock_wrlock(&sh_switches_lock);  // SYNC - start
+
+  sh_switch_t *self, *tmp;
+  RB_FOREACH_SAFE(self, sh_switch_tree, &sh_switches, tmp) {
+    if (sh_util_is_in_elf_pt_load(dlinfo, self->target_addr)) {
+      RB_REMOVE(sh_switch_tree, &sh_switches, self);
+      sh_inst_free_after_dlclose(&self->inst, self->target_addr);
+      SH_LOG_INFO("switch: free_after_dlclose OK. target_addr %" PRIxPTR, self->target_addr);
+      sh_switch_destroy(self, false);
+    }
+  }
+
+  pthread_rwlock_unlock(&sh_switches_lock);  // SYNC - end
+}
diff --git a/shadowhook/src/main/cpp/sh_switch.h b/shadowhook/src/main/cpp/sh_switch.h
index fa64cc7..f9925ac 100644
--- a/shadowhook/src/main/cpp/sh_switch.h
+++ b/shadowhook/src/main/cpp/sh_switch.h
@@ -32,3 +32,5 @@ int sh_switch_unhook(uintptr_t target_addr, uintptr_t new_addr);
 
 int sh_switch_hook_invisible(uintptr_t target_addr, uintptr_t new_addr, uintptr_t *orig_addr,
                              size_t *backup_len, xdl_info_t *dlinfo);
+
+void sh_switch_free_after_dlclose(xdl_info_t *dlinfo);
diff --git a/shadowhook/src/main/cpp/sh_task.c b/shadowhook/src/main/cpp/sh_task.c
index 20475e9..8aefb12 100644
--- a/shadowhook/src/main/cpp/sh_task.c
+++ b/shadowhook/src/main/cpp/sh_task.c
@@ -46,13 +46,11 @@
 #include "shadowhook.h"
 #include "xdl.h"
 
-#define SH_TASK_THREAD_NAME "shadowhook-task"
-
 // task
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wpadded"
 struct sh_task {
-  char *lib_name;
+  char *lib_name;  // NULL means: hook_sym_addr or hook_func_addr
   char *sym_name;
   uintptr_t target_addr;
   uintptr_t new_addr;
@@ -75,9 +73,6 @@ static sh_task_queue_t sh_tasks = TAILQ_HEAD_INITIALIZER(sh_tasks);
 static pthread_rwlock_t sh_tasks_lock = PTHREAD_RWLOCK_INITIALIZER;
 static int sh_tasks_unfinished_cnt = 0;
 
-static int sh_task_eventfd;
-static int thread_started_result = SHADOWHOOK_ERRNO_MONITOR_THREAD;
-
 sh_task_t *sh_task_create_by_target_addr(uintptr_t target_addr, uintptr_t new_addr, uintptr_t *orig_addr,
                                          bool ignore_symbol_check, uintptr_t caller_addr) {
   sh_task_t *self = malloc(sizeof(sh_task_t));
@@ -144,8 +139,13 @@ static int sh_task_hook_pending(struct dl_phdr_info *info, size_t size, void *ar
   sh_task_t *task;
   TAILQ_FOREACH(task, &sh_tasks, link) {
     if (task->finished) continue;
-    if ('/' == info->dlpi_name[0] && NULL == strstr(info->dlpi_name, task->lib_name)) continue;
-    if ('/' != info->dlpi_name[0] && NULL == strstr(task->lib_name, info->dlpi_name)) continue;
+    if ('/' == info->dlpi_name[0] && '/' != task->lib_name[0]) {
+      if (!sh_util_ends_with(info->dlpi_name, task->lib_name)) continue;
+    } else if ('/' != info->dlpi_name[0] && '/' == task->lib_name[0]) {
+      if (!sh_util_ends_with(task->lib_name, info->dlpi_name)) continue;
+    } else {
+      if (0 != strcmp(info->dlpi_name, task->lib_name)) continue;
+    }
 
     xdl_info_t dlinfo;
     char real_lib_name[512];
@@ -171,82 +171,86 @@ static int sh_task_hook_pending(struct dl_phdr_info *info, size_t size, void *ar
 
   pthread_rwlock_unlock(&sh_tasks_lock);
 
-  return __atomic_load_n(&sh_tasks_unfinished_cnt, __ATOMIC_SEQ_CST) > 0 ? 0 : 1;
+  return __atomic_load_n(&sh_tasks_unfinished_cnt, __ATOMIC_ACQUIRE) > 0 ? 0 : 1;
 }
 
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wgnu-statement-expression"
-
-static void sh_task_post_dlopen_callback(void *arg) {
-  (void)arg;
-
-  if (0 == thread_started_result && __atomic_load_n(&sh_tasks_unfinished_cnt, __ATOMIC_SEQ_CST) > 0) {
-    uint64_t ev_val = 1;
-    SH_UTIL_TEMP_FAILURE_RETRY(write(sh_task_eventfd, &ev_val, sizeof(ev_val)));
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+static void sh_task_dlopen_post(void) {
+  SH_LOG_INFO("task: dlopen() post callback");
+  if (__atomic_load_n(&sh_tasks_unfinished_cnt, __ATOMIC_ACQUIRE) > 0) {
+    xdl_iterate_phdr(sh_task_hook_pending, NULL, XDL_DEFAULT);
   }
 }
+#endif
 
-__noreturn static void *sh_task_thread_func(void *arg) {
-  (void)arg;
-  pthread_t thread = pthread_self();
-  pthread_setname_np(thread, SH_TASK_THREAD_NAME);
-  pthread_detach(thread);
-
-  struct pollfd ev = {.fd = sh_task_eventfd, .events = POLLIN, .revents = 0};
-  while (1) {
-    int n = SH_UTIL_TEMP_FAILURE_RETRY(poll(&ev, 1, -1));
-    if (n < 0) {
-      sleep(1);
-      continue;
-    } else if (n > 0) {
-      uint64_t ev_val;
-      SH_UTIL_TEMP_FAILURE_RETRY(read(sh_task_eventfd, &ev_val, sizeof(ev_val)));
-
-      if (sh_util_get_api_level() >= __ANDROID_API_L__) {
-        xdl_iterate_phdr(sh_task_hook_pending, NULL, XDL_DEFAULT);
-      } else {
-        SH_SIG_TRY(SIGSEGV, SIGBUS) {
-          xdl_iterate_phdr(sh_task_hook_pending, NULL, XDL_DEFAULT);
-        }
-        SH_SIG_CATCH() {
-          SH_LOG_WARN("task: dliterate crashed");
-        }
-        SH_SIG_EXIT
-      }
-    }
+static void sh_task_dl_init_pre(struct dl_phdr_info *info, size_t size, void *data) {
+  SH_LOG_INFO("task: call_ctors() pre callback. load_bias %" PRIxPTR ", name %s", (uintptr_t)info->dlpi_addr,
+              info->dlpi_name);
+  if (__atomic_load_n(&sh_tasks_unfinished_cnt, __ATOMIC_ACQUIRE) > 0) {
+    sh_task_hook_pending(info, size, data);
   }
 }
 
-#pragma clang diagnostic pop
+static void sh_task_dl_fini_post(struct dl_phdr_info *info, size_t size, void *data) {
+  (void)size, (void)data;
 
-static int sh_task_start_monitor(bool start_thread) {
-  static bool thread_started = false;
-  static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
-  pthread_t thread;
-  int r;
+  SH_LOG_INFO("task: call_dtors() post callback. load_bias %" PRIxPTR ", name %s", (uintptr_t)info->dlpi_addr,
+              info->dlpi_name);
+
+  // free switch(es) that are no longer needed (for the currently dlclosed ELF)
+  xdl_info_t dlinfo;
+  dlinfo.dli_fbase = (void *)info->dlpi_addr;
+  dlinfo.dli_fname = info->dlpi_name;
+  dlinfo.dlpi_phdr = info->dlpi_phdr;
+  dlinfo.dlpi_phnum = (size_t)info->dlpi_phnum;
+  sh_switch_free_after_dlclose(&dlinfo);
 
-  // hook linker dlopen()
-  if (0 != (r = sh_linker_hook_dlopen(sh_task_post_dlopen_callback, NULL))) return r;
+  // reset "finished flag" for finished-task (for the currently dlclosed ELF)
+  pthread_rwlock_rdlock(&sh_tasks_lock);
+  sh_task_t *task;
+  TAILQ_FOREACH(task, &sh_tasks, link) {
+    if (task->finished && task->lib_name != NULL && task->sym_name != NULL && 0 != task->target_addr &&
+        sh_util_is_in_elf_pt_load(&dlinfo, task->target_addr)) {
+      task->target_addr = 0;
+      task->error = false;
+      task->finished = false;
+      __atomic_add_fetch(&sh_tasks_unfinished_cnt, 1, __ATOMIC_SEQ_CST);
+      SH_LOG_INFO("task: reset finished flag for: lib_name %s, sym_name %s", task->lib_name, task->sym_name);
+    }
+  }
+  pthread_rwlock_unlock(&sh_tasks_lock);
+}
 
-  if (!start_thread) return 0;
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+static int sh_task_start_monitor_for_android_4x(void) {
+  static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
+  static bool tried = false;
+  static int result = -1;
 
-  // start thread
-  if (thread_started) return thread_started_result;
+  if (tried) return result;
   pthread_mutex_lock(&lock);
-  if (thread_started) goto end;
-
-  if (0 > (sh_task_eventfd = eventfd(0, EFD_NONBLOCK | EFD_CLOEXEC))) goto end;
-  if (0 != pthread_create(&thread, NULL, &sh_task_thread_func, NULL)) goto end;
+  if (tried) goto end;
+  tried = true;  // only once
 
-  // OK
-  thread_started_result = 0;
+  SH_LOG_INFO("task: start monitor ...");
+  result = sh_linker_register_dlopen_post_callback(sh_task_dlopen_post);
 
 end:
-  thread_started = true;
   pthread_mutex_unlock(&lock);
-  SH_LOG_INFO("task: start monitor %s, return: %d", 0 == thread_started_result ? "OK" : "FAILED",
-              thread_started_result);
-  return thread_started_result;
+  SH_LOG_INFO("task: start monitor %s, return: %d", 0 == result ? "OK" : "FAILED", result);
+  return result;
+}
+#endif
+
+int sh_task_init(void) {
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+  if (__predict_false(sh_util_get_api_level() < __ANDROID_API_L__)) return 0;
+#endif
+
+  SH_LOG_INFO("task: start monitor ...");
+  if (0 != sh_linker_register_dl_init_callback(sh_task_dl_init_pre, NULL, NULL)) return -1;
+  if (0 != sh_linker_register_dl_fini_callback(NULL, sh_task_dl_fini_post, NULL)) return -1;
+  return 0;
 }
 
 int sh_task_hook(sh_task_t *self) {
@@ -266,9 +270,13 @@ int sh_task_hook(sh_task_t *self) {
     r = sh_linker_get_dlinfo_by_sym_name(self->lib_name, self->sym_name, &dlinfo, real_lib_name,
                                          sizeof(real_lib_name));
     if (SHADOWHOOK_ERRNO_PENDING == r) {
-      // we need to start monitor linker dlopen for handle the pending task
-      if (0 != (r = sh_task_start_monitor(true))) goto end;
-      r = SHADOWHOOK_ERRNO_PENDING;
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+      if (__predict_false(sh_util_get_api_level() < __ANDROID_API_L__)) {
+        // we need to start monitor linker dlopen for handle the pending task
+        if (0 != (r = sh_task_start_monitor_for_android_4x())) goto end;
+        r = SHADOWHOOK_ERRNO_PENDING;
+      }
+#endif
       goto end;
     }
     if (0 != r) goto end;                             // error
@@ -279,12 +287,18 @@ int sh_task_hook(sh_task_t *self) {
     if (0 != r) goto end;  // error
   }
 
-  // In UNIQUE mode, if external users are hooking the linker dlopen() or do_dlopen(),
+  // In Android 4.x with UNIQUE mode, if external users are hooking the linker's dlopen(),
   // we MUST hook this method with invisible for ourself first.
-  if (sh_linker_need_to_hook_dlopen(self->target_addr)) {
-    SH_LOG_INFO("task: hook dlopen/do_dlopen internal. target-address %" PRIxPTR, self->target_addr);
-    if (0 != (r = sh_task_start_monitor(false))) goto end;
+  // In Android >= 5.0, we have already do the same jobs in sh_task_init().
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+  if (__predict_false(sh_util_get_api_level() < __ANDROID_API_L__)) {
+    if (sh_linker_need_to_pre_register(self->target_addr)) {
+      SH_LOG_INFO("task: hook dlopen/call_ctors/call_dtors internal. target-address %" PRIxPTR,
+                  self->target_addr);
+      if (0 != (r = sh_task_start_monitor_for_android_4x())) goto end;
+    }
   }
+#endif
 
   // hook by target-address
   r = sh_switch_hook(self->target_addr, self->new_addr, self->orig_addr, &backup_len, &dlinfo);
diff --git a/shadowhook/src/main/cpp/sh_task.h b/shadowhook/src/main/cpp/sh_task.h
index 7c5d450..b28aad5 100644
--- a/shadowhook/src/main/cpp/sh_task.h
+++ b/shadowhook/src/main/cpp/sh_task.h
@@ -29,6 +29,8 @@
 
 typedef struct sh_task sh_task_t;
 
+int sh_task_init(void);
+
 sh_task_t *sh_task_create_by_target_addr(uintptr_t target_addr, uintptr_t new_addr, uintptr_t *orig_addr,
                                          bool ignore_symbol_check, uintptr_t caller_addr);
 sh_task_t *sh_task_create_by_sym_name(const char *lib_name, const char *sym_name, uintptr_t new_addr,
diff --git a/shadowhook/src/main/cpp/shadowhook.c b/shadowhook/src/main/cpp/shadowhook.c
index 5bb8690..27ad4dd 100644
--- a/shadowhook/src/main/cpp/shadowhook.c
+++ b/shadowhook/src/main/cpp/shadowhook.c
@@ -76,13 +76,13 @@ int shadowhook_init(shadowhook_mode_t mode, bool debuggable) {
       if (__predict_false(0 != bytesig_init(SIGSEGV))) GOTO_END(SHADOWHOOK_ERRNO_INIT_SIGSEGV);
       if (__predict_false(0 != bytesig_init(SIGBUS))) GOTO_END(SHADOWHOOK_ERRNO_INIT_SIGBUS);
       if (__predict_false(0 != sh_enter_init())) GOTO_END(SHADOWHOOK_ERRNO_INIT_ENTER);
+      if (__predict_false(0 != sh_safe_init())) GOTO_END(SHADOWHOOK_ERRNO_INIT_SAFE);
       sh_exit_init();
       if (SHADOWHOOK_MODE_SHARED == shadowhook_mode) {
-        if (__predict_false(0 != sh_safe_init())) GOTO_END(SHADOWHOOK_ERRNO_INIT_SAFE);
         if (__predict_false(0 != sh_hub_init())) GOTO_END(SHADOWHOOK_ERRNO_INIT_HUB);
-      } else {
-        if (__predict_false(0 != sh_linker_init())) GOTO_END(SHADOWHOOK_ERRNO_INIT_LINKER);
       }
+      if (__predict_false(0 != sh_linker_init())) GOTO_END(SHADOWHOOK_ERRNO_INIT_LINKER);
+      if (__predict_false(0 != sh_task_init())) GOTO_END(SHADOWHOOK_ERRNO_INIT_TASK);
 
 #undef GOTO_END
 
@@ -302,6 +302,50 @@ void *shadowhook_dlsym_symtab(void *handle, const char *sym_name) {
   return addr;
 }
 
+int shadowhook_register_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data) {
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+  if (__predict_false(sh_util_get_api_level() < __ANDROID_API_L__))
+    SH_ERRNO_SET_RET_FAIL(SHADOWHOOK_ERRNO_NOT_SUPPORT);
+#endif
+  if (__predict_false(NULL == pre && NULL == post)) SH_ERRNO_SET_RET_FAIL(SHADOWHOOK_ERRNO_INVALID_ARG);
+  int r;
+  if ((r = sh_linker_register_dl_init_callback(pre, post, data)) != 0) SH_ERRNO_SET_RET_FAIL(r);
+  SH_ERRNO_SET_RET_ERRNUM(SHADOWHOOK_ERRNO_OK);
+}
+
+int shadowhook_unregister_dl_init_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data) {
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+  if (__predict_false(sh_util_get_api_level() < __ANDROID_API_L__))
+    SH_ERRNO_SET_RET_FAIL(SHADOWHOOK_ERRNO_NOT_SUPPORT);
+#endif
+  if (__predict_false(NULL == pre && NULL == post)) SH_ERRNO_SET_RET_FAIL(SHADOWHOOK_ERRNO_INVALID_ARG);
+  int r;
+  if ((r = sh_linker_unregister_dl_init_callback(pre, post, data)) != 0) SH_ERRNO_SET_RET_FAIL(r);
+  SH_ERRNO_SET_RET_ERRNUM(SHADOWHOOK_ERRNO_OK);
+}
+
+int shadowhook_register_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data) {
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+  if (__predict_false(sh_util_get_api_level() < __ANDROID_API_L__))
+    SH_ERRNO_SET_RET_FAIL(SHADOWHOOK_ERRNO_NOT_SUPPORT);
+#endif
+  if (__predict_false(NULL == pre && NULL == post)) SH_ERRNO_SET_RET_FAIL(SHADOWHOOK_ERRNO_INVALID_ARG);
+  int r;
+  if ((r = sh_linker_register_dl_fini_callback(pre, post, data)) != 0) SH_ERRNO_SET_RET_FAIL(r);
+  SH_ERRNO_SET_RET_ERRNUM(SHADOWHOOK_ERRNO_OK);
+}
+
+int shadowhook_unregister_dl_fini_callback(shadowhook_dl_info_t pre, shadowhook_dl_info_t post, void *data) {
+#if SH_UTIL_COMPATIBLE_WITH_ARM_ANDROID_4_X
+  if (__predict_false(sh_util_get_api_level() < __ANDROID_API_L__))
+    SH_ERRNO_SET_RET_FAIL(SHADOWHOOK_ERRNO_NOT_SUPPORT);
+#endif
+  if (__predict_false(NULL == pre && NULL == post)) SH_ERRNO_SET_RET_FAIL(SHADOWHOOK_ERRNO_INVALID_ARG);
+  int r;
+  if ((r = sh_linker_unregister_dl_fini_callback(pre, post, data)) != 0) SH_ERRNO_SET_RET_FAIL(r);
+  SH_ERRNO_SET_RET_ERRNUM(SHADOWHOOK_ERRNO_OK);
+}
+
 void *shadowhook_get_prev_func(void *func) {
   if (__predict_false(SHADOWHOOK_IS_UNIQUE_MODE)) abort();
   return sh_hub_get_prev_func(func);
diff --git a/shadowhook/src/main/cpp/shadowhook.map.txt b/shadowhook/src/main/cpp/shadowhook.map.txt
index 48c0ef4..c26d6a2 100644
--- a/shadowhook/src/main/cpp/shadowhook.map.txt
+++ b/shadowhook/src/main/cpp/shadowhook.map.txt
@@ -30,6 +30,11 @@
         shadowhook_dlsym_dynsym;
         shadowhook_dlsym_symtab;
 
+        shadowhook_register_dl_init_callback;
+        shadowhook_unregister_dl_init_callback;
+        shadowhook_register_dl_fini_callback;
+        shadowhook_unregister_dl_fini_callback;
+
         shadowhook_get_prev_func;
         shadowhook_pop_stack;
         shadowhook_allow_reentrant;
diff --git a/systest/build.gradle b/systest/build.gradle
index 846c56a..17cfefc 100644
--- a/systest/build.gradle
+++ b/systest/build.gradle
@@ -44,7 +44,7 @@ android {
     }
     packagingOptions {
         jniLibs {
-            excludes += ['**/libshadowhook.so']
+            excludes += ['**/libshadowhook.so', '**/libshadowhook_nothing.so']
         }
         if (rootProject.ext.useASAN) {
             doNotStrip "**/*.so"
diff --git a/systest/src/main/cpp/CMakeLists.txt b/systest/src/main/cpp/CMakeLists.txt
index b348805..7c5ebdb 100644
--- a/systest/src/main/cpp/CMakeLists.txt
+++ b/systest/src/main/cpp/CMakeLists.txt
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.22.1)
+cmake_minimum_required(VERSION 3.30.5)
 project(systest)
 
 if(DEPENDENCY_ON_LOCAL_LIBRARY)
diff --git a/systest/src/main/cpp/systest.c b/systest/src/main/cpp/systest.c
index 1a0450f..4e57a5f 100644
--- a/systest/src/main/cpp/systest.c
+++ b/systest/src/main/cpp/systest.c
@@ -53,9 +53,11 @@ extern __attribute((weak)) int dup3(int __old_fd, int __new_fd, int __flags);
 extern __attribute((weak)) int sigaction64(int __signal, const struct sigaction64 *__new_action,
                                            struct sigaction64 *__old_action);
 
+#define LOG_TAG "shadowhook_tag"
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wgnu-zero-variadic-macro-arguments"
-#define LOG(fmt, ...) __android_log_print(ANDROID_LOG_INFO, "shadowhook_tag", fmt, ##__VA_ARGS__)
+#define LOG(fmt, ...)             __android_log_print(ANDROID_LOG_INFO, LOG_TAG, fmt, ##__VA_ARGS__)
+#define LOG_ALWAYS_SHOW(fmt, ...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, fmt, ##__VA_ARGS__)
 #pragma clang diagnostic pop
 
 #define DELIMITER_TITLE  "==================================================================="
@@ -78,7 +80,8 @@ extern __attribute((weak)) int sigaction64(int __signal, const struct sigaction6
                      (void *)sym,                                                                         \
                      SHADOWHOOK_IS_UNIQUE_MODE ? (void *)unique_proxy_##sym : (void *)shared_proxy_##sym, \
                      (void **)(&orig_##sym))))                                                            \
-      LOG("hook sym addr FAILED: " TO_STR(sym) ". errno: %d", errno_##sym = shadowhook_get_errno());      \
+      LOG_ALWAYS_SHOW("hook sym addr FAILED: " TO_STR(sym) ". errno: %d",                                 \
+                      errno_##sym = shadowhook_get_errno());                                              \
   } while (0)
 
 #define HOOK_SYM_NAME(lib, sym)                                                                           \
@@ -89,31 +92,31 @@ extern __attribute((weak)) int sigaction64(int __signal, const struct sigaction6
                      TO_STR(lib), TO_STR(sym),                                                            \
                      SHADOWHOOK_IS_UNIQUE_MODE ? (void *)unique_proxy_##sym : (void *)shared_proxy_##sym, \
                      (void **)&orig_##sym)))                                                              \
-      LOG("hook sym name FAILED: " TO_STR(lib) ", " TO_STR(sym) ". errno: %d",                            \
-          errno_##sym = shadowhook_get_errno());                                                          \
+      LOG_ALWAYS_SHOW("hook sym name FAILED: " TO_STR(lib) ", " TO_STR(sym) ". errno: %d",                \
+                      errno_##sym = shadowhook_get_errno());                                              \
     else                                                                                                  \
       errno_##sym = shadowhook_get_errno();                                                               \
   } while (0)
 
-#define UNHOOK_SYM_ADDR(sym)                                                             \
-  do {                                                                                   \
-    if (NULL == sym) break;                                                              \
-    if (NULL == stub_##sym) break;                                                       \
-    if (0 != shadowhook_unhook(stub_##sym))                                              \
-      LOG("unhook sym addr FAILED: " TO_STR(sym) ". errno: %d", shadowhook_get_errno()); \
-    else                                                                                 \
-      errno_##sym = shadowhook_get_errno();                                              \
-    stub_##sym = NULL;                                                                   \
+#define UNHOOK_SYM_ADDR(sym)                                                                         \
+  do {                                                                                               \
+    if (NULL == sym) break;                                                                          \
+    if (NULL == stub_##sym) break;                                                                   \
+    if (0 != shadowhook_unhook(stub_##sym))                                                          \
+      LOG_ALWAYS_SHOW("unhook sym addr FAILED: " TO_STR(sym) ". errno: %d", shadowhook_get_errno()); \
+    else                                                                                             \
+      errno_##sym = shadowhook_get_errno();                                                          \
+    stub_##sym = NULL;                                                                               \
   } while (0)
 
-#define UNHOOK_SYM_NAME(sym)                                                             \
-  do {                                                                                   \
-    if (NULL == stub_##sym) break;                                                       \
-    if (0 != shadowhook_unhook(stub_##sym))                                              \
-      LOG("unhook sym addr FAILED: " TO_STR(sym) ". errno: %d", shadowhook_get_errno()); \
-    else                                                                                 \
-      errno_##sym = shadowhook_get_errno();                                              \
-    stub_##sym = NULL;                                                                   \
+#define UNHOOK_SYM_NAME(sym)                                                                         \
+  do {                                                                                               \
+    if (NULL == stub_##sym) break;                                                                   \
+    if (0 != shadowhook_unhook(stub_##sym))                                                          \
+      LOG_ALWAYS_SHOW("unhook sym addr FAILED: " TO_STR(sym) ". errno: %d", shadowhook_get_errno()); \
+    else                                                                                             \
+      errno_##sym = shadowhook_get_errno();                                                          \
+    stub_##sym = NULL;                                                                               \
   } while (0)
 
 #ifdef DEPENDENCY_ON_LOCAL_LIBRARY
@@ -808,6 +811,8 @@ static void shared_proxy_fake_sym(void) {
 #pragma clang diagnostic pop
 
 int systest_hook(void) {
+  LOG_ALWAYS_SHOW("systest hook start");
+
   HOOK_SYM_ADDR(pthread_create);
   HOOK_SYM_ADDR(pthread_exit);
 #ifdef DEPENDENCY_ON_LOCAL_LIBRARY
@@ -877,10 +882,14 @@ int systest_hook(void) {
   HOOK_SYM_NAME(libart.so, _ZN3art2gc4Heap21ThrowOutOfMemoryErrorEPNS_6ThreadEjNS0_13AllocatorTypeE);
 #endif
   HOOK_SYM_NAME(libshadowhook_non_existent_library.so, fake_sym);
+
+  LOG_ALWAYS_SHOW("systest hook end");
   return 0;
 }
 
 int systest_unhook(void) {
+  LOG_ALWAYS_SHOW("systest unhook start");
+
   UNHOOK_SYM_ADDR(pthread_create);
   UNHOOK_SYM_ADDR(pthread_exit);
 #ifdef DEPENDENCY_ON_LOCAL_LIBRARY
@@ -950,6 +959,8 @@ int systest_unhook(void) {
   UNHOOK_SYM_NAME(_ZN3art2gc4Heap21ThrowOutOfMemoryErrorEPNS_6ThreadEjNS0_13AllocatorTypeE);
 #endif
   UNHOOK_SYM_NAME(fake_sym);
+
+  LOG_ALWAYS_SHOW("systest unhook end");
   return 0;
 }
 
@@ -960,9 +971,12 @@ static void *systest_simulate_thd(void *arg) {
 
 static void systest_simulate(void) {
   // pthread_create, pthread_exit
-  pthread_t thd;
-  pthread_create(&thd, NULL, &systest_simulate_thd, NULL);
-  pthread_join(thd, NULL);
+
+  for (int i = 0; i < 4; ++i) {
+    pthread_t thd;
+    pthread_create(&thd, NULL, &systest_simulate_thd, NULL);
+    pthread_join(thd, NULL);
+  }
 
   // pthread_getspecific, pthread_setspecific
   static pthread_key_t systest_tls_key;
diff --git a/systest/src/main/java/com/bytedance/shadowhook/systest/SysTest.java b/systest/src/main/java/com/bytedance/shadowhook/systest/SysTest.java
index ec15680..ac51797 100644
--- a/systest/src/main/java/com/bytedance/shadowhook/systest/SysTest.java
+++ b/systest/src/main/java/com/bytedance/shadowhook/systest/SysTest.java
@@ -47,7 +47,7 @@ public static int init(boolean sharedMode, boolean debuggable, boolean recordabl
             return initErrno;
         }
 
-        // load libsystest.so
+        // load libshadowhooksystest.so
         try {
             System.loadLibrary(libName);
         } catch (Throwable ignored) {