
Available Flags & Usage

usage: zelos [-h] [-c CONFIG] [--virtual_filename VIRTUAL_FILENAME]
             [--virtual_path VIRTUAL_PATH] [--log LOG] [--dns] [-t TIMEOUT]
             [-m MEMLIMIT] [--inst_feed [ZML_STRING]] [--inst]
             [--func_feed [ZML_STRING]] [--func] [--syscall_feed [ZML_STRING]]
             [--syscall] [--no_feeds [ZML_STRING]] [--writetrace WRITETRACE]
             [--date DATE] [--startat STARTAT] [--disableNX] [--log_exports]
             [--sandbox SANDBOX] [--mount MOUNT] [-ev KEY=VALUE]
             [--linux_rootfs LINUX_ROOTFS] [--trace_off]
             [--trace_file TRACE_FILE] [--fasttrace] [--export_mem]
             [--export_trace] [--syscall_limit SYSCALL_LIMIT]
             [--syscall_thread_limit SYSCALL_THREAD_LIMIT]
             [--syscall_thread_swap SYSCALL_THREAD_SWAP]
             [--rep_syscall_print_limit REP_SYSCALL_PRINT_LIMIT]
             [--yara_file YARA_FILE] [--yara_file_glob YARA_FILE_GLOB]
             [--yara_rule YARA_RULE] [--yara_outfile YARA_OUTFILE]
             [--yara_pid YARA_PID] [--yara_memdump YARA_MEMDUMP]
             [--yara_brief] [--yara_xrefs] [--yara_max YARA_MAX]
             filename [cmdline_args [cmdline_args ...]]

Positional Arguments


Executable to emulate


Arguments to the executable

Named Arguments

-c, --config

config file path


[Experimental] Start execution at the given hex address.


Disable the no-execute bit. All memory becomes executable.

Default: False



Decide what level of logging should be used. LOG is ‘info’, ‘verbose’, ‘debug’, ‘spam’, ‘notice’, ‘warning’, ‘success’, ‘error’, or ‘fatal’. (default: ‘info’)

Default: “info”


Print a message every time a value at the given memory location is written.

Default: “”


Enable logging of calls to exported functions. (default: off)

Default: False



Provided without input, sets the feed level to INST. This results in enabling the inst, api, and syscall feeds.Alternatively, A ZML string can be used to specify conditionsto set the feed level to INST. Multiple triggers can be specified by using this flag multiple times.

Default: []


Shortcut for setting the starting feed level to INST

Default: False


Provided without input, sets the feed level to FUNC. This results in enabling the func and syscall feeds.Alternatively, A ZML string can be used to specify conditionsto set the feed level to FUNC. Multiple triggers can be specified by using this flag multiple times.

Default: []


Shortcut for setting the starting feed level to FUNC

Default: False


Provided without input, sets the feed level to SYSCALL. This results in enabling only the syscall feed.Alternatively, A ZML string can be used to specify conditionsto set the feed level to SYSCALL. Multiple triggers can be specified by using this flag multiple times. This is the default feed level.

Default: []


Shortcut for setting the starting feed level to SYSCALL. This is a no-op since the default feel level is SYSCALL.

Default: False


Provided without input, sets the feed level to NONE, disabling all feeds. Alternatively, A ZML string can be used to specify conditions to set the feed level to NONE. Multiple triggers can be specified by using this flag multiple times.

Default: []


-t, --timeout

If specified, execution will end after TIMEOUT secondshave passed.

Default: 0

-m, --memlimit

Limits memory allocation to MEMLIMIT total mb.

Default: 0



Simulate DNS response for all domains (resolve to

Default: 0



Emulated filename (if different from real filename).


Emulated file path (optional). (default: ‘/home/admin/zelos_dir/’).

Specifies a permanent root directory for files to be written

to. By default, files that are created while executing Zelos are written to a temporary directory that is deleted when Zelos finishes executing. Use this flag to retain files written during execution.


[Experimental] Mount the specified file or path into the emulated root filesystem. Format: ‘–mount ARCH,DEST,SRC’. ARCH is ‘x86’, ‘x86-64’, ‘arm’, or ‘mips’. DEST is the emulated path to mount. SRC is the absolute host path to the file or directory to mount. Can be specified multiple times to mount multiple files.

Default: []

-ev, --env_vars

Emulated environment variables. ENV_VARS is a key value pair of the form KEY=VALUE. Can be specified multiple times to set multiple environment variables. Format: ‘–env_vars FOO=bar –env_vars ZERO=point’.

Default: {}



Emulated system date. Format: YYYY-MM-DD. (default: ‘2019-02-02’)

Default: “2019-02-02”



Specify the rootfs directory for an emulated architecture. Can be specified multiple times to set the rootfs for different architectures, and the appropriate rootfs will be used during emulation. Format: ‘–linux_rootfs ARCH,PATH’. ARCH is ‘x86’, ‘x86-64’, ‘arm’, or ‘mips’. PATH is the absolute host path to the directory to be used as rootfs.

Default: []



Turns off printing on the command line

Default: False


Writes the trace to a file instead of the command line.


Enable instruction-level tracing only the first time a memory address is reached.

Default: 0



Export memory regions.

Default: False


Export dynamic trace data.

Default: False



Stop execution after SYSCALL_LIMIT syscalls are executed.

Default: 0


End THREAD after SYSCALL_THREAD_LIMIT syscalls are executed in that thread

Default: 0


Swap threads after every SYSCALL_THREAD_SWAP syscalls are executed

Default: 100


After repeating this number of times, syscall printing is temporarily disabled.

Default: 50



Scan memory for yara rules in the specified file(s)

Default: []


Scan memory for yara rules in all files specified by the given glob


Scan memory for the specified yara rule string(s).

Default: []


Dump matches to the specified YAML file.


Only scan memory in the specified pid, otherwise scan all.


Dump matching memory regions to file in the specified directory.


Only dump the list of matching rules, exclude match string details.

Default: False


Count memory cross-references (pointers) for each match.

Default: False


Maximum number of yara matches per region (default: unlimited).