diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 607d628..cadd249 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -3,16 +3,15 @@ find_package(nlohmann_json REQUIRED)
 include_directories(${PROJECT_SOURCE_DIR})
 include_directories(${CMAKE_CURRENT_SOURCE_DIR})
 
-add_library(optional SHARED optional.cpp execsnoop.cpp)
-target_link_libraries(optional bcc)
-install(TARGETS optional DESTINATION /usr/lib/cgproxy/ PERMISSIONS ${basic_permission})
+add_library(execsnoop MODULE execsnoop.cpp common.cpp)
+target_link_libraries(execsnoop bcc)
+install(TARGETS execsnoop DESTINATION /usr/lib/cgproxy/ PERMISSIONS ${basic_permission})
 
 add_executable(main main.cpp
                     common.cpp config.cpp cgroup_attach.cpp
                     socket_client.cpp socket_server.cpp)
 
-target_link_libraries(main PRIVATE nlohmann_json::nlohmann_json Threads::Threads)
-target_link_libraries(main PRIVATE optional)
+target_link_libraries(main PRIVATE nlohmann_json::nlohmann_json Threads::Threads dl)
 set_target_properties(main PROPERTIES LINKER_LANGUAGE CXX)
 set_target_properties(main PROPERTIES OUTPUT_NAME cgproxy)
 
diff --git a/src/cgproxyd.hpp b/src/cgproxyd.hpp
index 4520868..5ed6bf2 100644
--- a/src/cgproxyd.hpp
+++ b/src/cgproxyd.hpp
@@ -8,20 +8,41 @@
 #include <algorithm>
 #include <csignal>
 #include <cstdlib>
+#include <exception>
 #include <fstream>
+#include <functional>
 #include <nlohmann/json.hpp>
 #include <pthread.h>
 #include <sched.h>
 #include <sys/file.h>
 #include <unistd.h>
-#include "optional.h"
+#include <dlfcn.h>
+#include "execsnoop.h"
 
 using namespace std;
 using json = nlohmann::json;
 using namespace ::CGPROXY::SOCKET;
 using namespace ::CGPROXY::CONFIG;
 using namespace ::CGPROXY::CGROUP;
-using namespace ::CGPROXY::EXESNOOP;
+// using namespace ::CGPROXY::EXESNOOP;
+
+namespace CGPROXY::EXECSNOOP{
+  typedef void* (*startThread_t)(void *arg);
+  startThread_t _startThread;
+  bool loadExecsnoopLib(){
+    try {
+      info("loading %s",LIBEXECSNOOP_SO);
+      void* handle_dl=dlopen(LIBEXECSNOOP_SO,RTLD_NOW);
+      if (handle_dl==NULL) {error("dlopen %s failed: %s",LIBEXECSNOOP_SO, dlerror());return false;}
+      _startThread= reinterpret_cast<startThread_t> (dlsym(handle_dl, "_startThread"));
+      if (_startThread==NULL){error("dlsym startThread failed: %s",dlerror());return false;}
+      info("dlsym startThread success");
+      return true;
+    } catch (exception &e) {
+      return false;
+    }
+  }
+}
 
 namespace CGPROXY::CGPROXYD {
 
@@ -33,7 +54,7 @@ class cgproxyd {
   SOCKET::thread_arg socketserver_thread_arg;
   pthread_t socket_thread_id = -1;
 
-  EXESNOOP::thread_arg execsnoop_thread_arg;
+  EXECSNOOP::thread_arg execsnoop_thread_arg;
   pthread_t execsnoop_thread_id = -1;
 
   Config config;
@@ -162,11 +183,13 @@ class cgproxyd {
     return thread_id;
   }
 
-  pthread_t startExecSnoopThread() {
+  pthread_t startExecsnoopThread() {
+    if (!EXECSNOOP::loadExecsnoopLib()||EXECSNOOP::_startThread==NULL) {error("execsnoop start failed");exit(EXIT_FAILURE);}
+
     execsnoop_thread_arg.handle_pid = &handle_pid_static;
     pthread_t thread_id;
     int status =
-        pthread_create(&thread_id, NULL, &EXESNOOP::startThread, &execsnoop_thread_arg);
+        pthread_create(&thread_id, NULL, EXECSNOOP::_startThread, &execsnoop_thread_arg);
     if (status != 0) error("execsnoop thread create failed");
     return thread_id;
   }
@@ -201,8 +224,7 @@ public:
     processRunningProgram();
 
     if (enable_socketserver) { socket_thread_id = startSocketListeningThread(); }
-    if (enable_execsnoop) { execsnoop_thread_id = startExecSnoopThread(); }
-
+    if (enable_execsnoop) { execsnoop_thread_id = startExecsnoopThread(); }
     cout<<flush;
     
     pthread_join(socket_thread_id, NULL);
@@ -221,7 +243,6 @@ public:
   void stop() {
     debug("stopping");
     system(TPROXY_IPTABLS_CLEAN);
-    // if (exec_snoop_pid != -1) kill(exec_snoop_pid, SIGINT);
     unlock();
   }
 
@@ -246,6 +267,7 @@ void processArgs(const int argc, char *argv[]) {
 }
 
 int main(int argc, char *argv[]) {
+  setbuf(stdout, NULL);
   processArgs(argc, argv);
   if (print_help) {
     print_usage();
diff --git a/src/common.h b/src/common.h
index 3d795df..a5d05b9 100644
--- a/src/common.h
+++ b/src/common.h
@@ -10,6 +10,7 @@ using namespace std;
 #define TPROXY_IPTABLS_START "/usr/share/cgproxy/scripts/cgroup-tproxy.sh"
 #define TPROXY_IPTABLS_CLEAN "/usr/share/cgproxy/scripts/cgroup-tproxy.sh stop"
 
+#define LIBEXECSNOOP_SO "/usr/lib/cgproxy/libexecsnoop.so"
 #define PID_LOCK_FILE "/var/run/cgproxyd.pid"
 #define SOCKET_PATH "/tmp/cgproxy_unix_socket"
 #define LISTEN_BACKLOG 64
diff --git a/src/execsnoop.cpp b/src/execsnoop.cpp
index 0412e04..0d91540 100644
--- a/src/execsnoop.cpp
+++ b/src/execsnoop.cpp
@@ -6,9 +6,10 @@
 #include <iostream>
 #include <string>
 #include <unistd.h>
+#include "execsnoop.h"
 using namespace std;
 
-namespace CGPROXY::EXESNOOP {
+namespace CGPROXY::EXECSNOOP {
 
 const string BPF_PROGRAM = R"(
 #include <linux/fs.h>
@@ -89,4 +90,16 @@ int execsnoop() {
   return 0;
 }
 
-} // namespace CGPROXY::EXESNOOP
\ No newline at end of file
+void *startThread(void *arg) {
+  thread_arg *p = (thread_arg *)arg;
+  callback = p->handle_pid;
+  execsnoop();
+  return (void *)0;
+}
+
+
+} // namespace CGPROXY::EXESNOOP
+
+extern "C" void *_startThread(void *arg) {
+  return CGPROXY::EXECSNOOP::startThread(arg);
+}
\ No newline at end of file
diff --git a/src/execsnoop.h b/src/execsnoop.h
index f496036..ef6c64c 100644
--- a/src/execsnoop.h
+++ b/src/execsnoop.h
@@ -5,7 +5,7 @@
 #include <string>
 using namespace std;
 
-namespace CGPROXY::EXESNOOP {
+namespace CGPROXY::EXECSNOOP {
 
 extern const string BPF_PROGRAM;
 struct data_t;
@@ -13,5 +13,10 @@ extern function<int(int)> callback;
 void handle_events(void *cb_cookie, void *data, int data_size);
 int execsnoop(); 
 
+struct thread_arg {
+  function<int(int)> handle_pid;
+};
+void *startThread(void *arg);
+
 } // namespace CGPROXY::EXESNOOP
 #endif
\ No newline at end of file
diff --git a/src/optional.cpp b/src/optional.cpp
deleted file mode 100644
index 4678a76..0000000
--- a/src/optional.cpp
+++ /dev/null
@@ -1,14 +0,0 @@
-#include "optional.h"
-#include "common.h"
-#include "execsnoop.h"
-
-namespace CGPROXY::EXESNOOP {
-
-void *startThread(void *arg) {
-  thread_arg *p = (thread_arg *)arg;
-  callback = p->handle_pid;
-  execsnoop();
-  return (void *)0;
-}
-
-}
\ No newline at end of file
diff --git a/src/optional.h b/src/optional.h
deleted file mode 100644
index 8a16c32..0000000
--- a/src/optional.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef OPTIONAL_H
-#define OPTIONAL_H 1
-
-#include <functional>
-using namespace std;
-
-namespace CGPROXY::EXESNOOP {
-
-struct thread_arg {
-  function<int(int)> handle_pid;
-};
-void *startThread(void *arg);
-
-}
-
-#endif
\ No newline at end of file
diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt
index c85a2fe..9630987 100644
--- a/tools/CMakeLists.txt
+++ b/tools/CMakeLists.txt
@@ -4,6 +4,7 @@ include_directories(${PROJECT_SOURCE_DIR}/src)
 add_executable(cgattach cgattach.cpp ../src/cgroup_attach.cpp ../src/common.cpp)
 install(TARGETS cgattach  DESTINATION /usr/bin PERMISSIONS ${basic_permission})
 
-add_executable(execsnoop execsnoop.cpp ../src/common.cpp)
-target_link_libraries(execsnoop bcc)
-install(TARGETS execsnoop  DESTINATION /usr/bin PERMISSIONS ${basic_permission})
\ No newline at end of file
+add_executable(execsnoop_exec execsnoop.cpp ../src/common.cpp ../src/execsnoop.cpp)
+set_target_properties(execsnoop_exec PROPERTIES OUTPUT_NAME execsnoop)
+target_link_libraries(execsnoop_exec bcc)
+install(TARGETS execsnoop_exec  DESTINATION /usr/bin PERMISSIONS ${basic_permission})
\ No newline at end of file
diff --git a/tools/execsnoop.cpp b/tools/execsnoop.cpp
index d401da4..c84f381 100644
--- a/tools/execsnoop.cpp
+++ b/tools/execsnoop.cpp
@@ -1,7 +1,8 @@
-#include "execsnoop.hpp"
+#include "execsnoop.h"
 #include "common.h"
+#include <unistd.h>
 using namespace std;
-using namespace CGPROXY::EXESNOOP;
+using namespace CGPROXY::EXECSNOOP;
 
 #define PATH_MAX_LEN 128