Available Flags & Usage

usage: zelos [-h] [-c CONFIG] [--virtual_filename VIRTUAL_FILENAME]
             [--virtual_path VIRTUAL_PATH] [-v] [--log LOG] [--dns]
             [--fasttrace] [-t TIMEOUT] [-m MEMLIMIT] [--traceon TRACEON]
             [--traceoff TRACEOFF] [--tracethread TRACETHREAD]
             [--writetrace WRITETRACE] [--date DATE] [--startat STARTAT]
             [--disableNX] [--strace STRACE] [--log_exports]
             [--no_log_syscalls] [--mount MOUNT] [--env_vars ENV_VARS]
             [--export_mem] [--export_insts] [--export_funcs]
             [--syscall_limit SYSCALL_LIMIT]
             [--syscall_thread_limit SYSCALL_THREAD_LIMIT]
             [--syscall_thread_swap SYSCALL_THREAD_SWAP]
             [--rep_syscall_print_limit REP_SYSCALL_PRINT_LIMIT]
             [--linux_rootfs LINUX_ROOTFS]
             filename [cmdline_args [cmdline_args ...]]

Positional Arguments


Executable to emulate


Arguments to the executable

Named Arguments

-c, --config

config file path


[Experimental] Start execution at the given hex address.


Disable the no-execute bit. All memory becomes executable.

Default: False


-v, --verbosity

Increase output verbosity. Enables instruction-level tracing.

Default: 0


Decide what level of logging should be used. LOG is ‘info’, ‘verbose’, ‘debug’, ‘spam’, ‘notice’, ‘warning’, ‘success’, ‘error’, or ‘fatal’. Note that this does not affect verbosity. (default: ‘info’)

Default: “info”


Enable instruction-level tracing only the first time a memory address is reached.

Default: 0


[Experimental] Enable verbose tracing after specified address or API name.

Default: “”


[Experimental] Disable verbose tracing after specified address or API name.

Default: “”


[Experimental] Enable verbose tracing on a single thread.

Default: “”


Print a message every time a value at the given memory location is written.

Default: “”


Enable logging of calls to exported functions. (default: off)

Default: False


Disable logging of syscalls.

Default: True



Writes the system call trace to the specified output file.


-t, --timeout

If specified, execution will end after TIMEOUT seconds have passed.

Default: 0

-m, --memlimit

Limits memory allocation to MEMLIMIT total mb.

Default: 0



Simulate DNS response for all domains (resolve to

Default: 0



Emulated filename (if different from real filename).


Emulated file path (optional). (default: ‘/home/admin/zelos_dir/’).


[Experimental] Mount the specified file or path into the emulated root filesystem. Format: ‘–mount ARCH,DEST,SRC’. ARCH is ‘x86’, ‘x86-64’, ‘arm’, or ‘mips’. DEST is the emulated path to mount. SRC is the absolute host path to the file or directory to mount. Can be specified multiple times to mount multiple files.

Default: []


Emulated environment variables. ENV_VARS is a comma separated key value pair. Can be specified multiple times to set multiple environment variables. Format: ‘–env_vars FOO:bar –env_vars ZERO:point’.

Default: []



Emulated system date. Format: YYYY-MM-DD. (default: ‘2019-02-02’)

Default: “2019-02-02”



Export memory regions.

Default: False


Export instructions.

Default: False


Export functions.

Default: False



Stop execution after SYSCALL_LIMIT syscalls are executed.

Default: 0


End THREAD after SYSCALL_THREAD_LIMIT syscalls are executed in that thread

Default: 0


Swap threads after every SYSCALL_THREAD_SWAP syscalls are executed

Default: 100


After repeating this number of times, syscall printing is temporarily disabled.

Default: 50



Specify the rootfs directory for an emulated architecture. Can be specified multiple times to set the rootfs for different architectures, and the appropriate rootfs will be used during emulation. Format: ‘–linux_rootfs ARCH,PATH’. ARCH is ‘x86’, ‘x86-64’, ‘arm’, or ‘mips’. PATH is the absolute host path to the directory to be used as rootfs.

Default: []