How do you detect the unloading of a dynamic library in the current process?

Question

On Windows, we can register a callback function through LdrDllNotification, so that when any DLL is about to be unloaded, we can get a chance to collect some useful information about that DLL, including its address, size, etc.

I don’t know enough about UNIX-like platforms (including Linux, macOS, iOS, Android, etc.). How can I do the same on these platforms?

Answer 1

On Linux, libraries are loaded and unloaded by the dynamic loader. The loading is usually done automatically when needed by the loader itself, but can also be done manually using the library function dlopen(). The unloading is done manually through dlclose() or automatically at program exit. This is not universally applicable to every Unix system, but only to POSIX compliant ones.

Unfortunately, since (unlike in Windows) the job of loading and unloading libraries is carried out by the dynamic loader (which is just an userspace library), the kernel does not know what is going on and does not provide any mechanism of detecting loading or unloading of dynamic libraries. Even more unfortunately, the loader itself does not provide any such mechanism either. Indeed, there would probably be little-to-no-use for such functionality, apart from usage metrics or similar stuff.

You normally don't even unload libraries at runtime in Linux, unless we are talking about a very complex piece of software that needs to limit its memory footprint when running. The loader loads the libraries when needed at startup (or when the first needed library function is called) and then they are left like any other piece of memory for the kernel to clean up when the program dies.

To my knowlegte, the "best" you could do on Linux to detect unloading of dynamic libraries is:

1. Create your own shared library implementing dlclose() and preload it when running executables. This is explained here and here.

2. Continuously watch /proc/self/maps parsing the list of loaded libraries.

3. Run the program under a debugger like gdb, which can be scripted/automated using Python.

---

As per other OSes... Android is Linux based, though it has additional security features and apps are sandboxed, unless you root the device or you use a debug shell you can't just "run" other apps hooking them with a custom dlclose() or even a debugger. I can't say much about iOS, but I suspect that implementing such a functionality is not even remotely an option given the very limited abilities of apps (that are also sandboxed). AFAIK macOS also supports dlopen()/dlclose() for manually loading/unloading libraries, however the linker is not the same as the one commonly used on Linux (linked above) so I can't say much about the automatic loading/unloading behavior.