Flags

Available Flags & Usage

usage: zelos [-h] [-c CONFIG] [--virtual_filename VIRTUAL_FILENAME]
             [--virtual_path VIRTUAL_PATH] [--log LOG] [--dns] [-t TIMEOUT]
             [-m MEMLIMIT] [--inst_feed [ZML_STRING]] [--inst]
             [--func_feed [ZML_STRING]] [--func] [--syscall_feed [ZML_STRING]]
             [--syscall] [--no_feeds [ZML_STRING]] [--writetrace WRITETRACE]
             [--date DATE] [--startat STARTAT] [--disableNX] [--log_exports]
             [--sandbox SANDBOX] [--mount MOUNT] [-ev KEY=VALUE]
             [--linux_rootfs LINUX_ROOTFS] [--trace_off]
             [--trace_file TRACE_FILE] [--fasttrace] [--export_mem]
             [--export_trace] [--syscall_limit SYSCALL_LIMIT]
             [--syscall_thread_limit SYSCALL_THREAD_LIMIT]
             [--syscall_thread_swap SYSCALL_THREAD_SWAP]
             [--rep_syscall_print_limit REP_SYSCALL_PRINT_LIMIT]
             [--yara_file YARA_FILE] [--yara_file_glob YARA_FILE_GLOB]
             [--yara_rule YARA_RULE] [--yara_outfile YARA_OUTFILE]
             [--yara_pid YARA_PID] [--yara_memdump YARA_MEMDUMP]
             [--yara_brief] [--yara_xrefs] [--yara_max YARA_MAX]
             filename [cmdline_args [cmdline_args ...]]

Positional Arguments

filename

Executable to emulate

cmdline_args

Arguments to the executable

Named Arguments

-c, --config

config file path

--startat

[Experimental] Start execution at the given hex address.

--disableNX

Disable the no-execute bit. All memory becomes executable.

Default: False

logging

--log

Decide what level of logging should be used. LOG is ‘info’, ‘verbose’, ‘debug’, ‘spam’, ‘notice’, ‘warning’, ‘success’, ‘error’, or ‘fatal’. (default: ‘info’)

Default: “info”

--writetrace

Print a message every time a value at the given memory location is written.

Default: “”

--log_exports

Enable logging of calls to exported functions. (default: off)

Default: False

feeds

--inst_feed

Provided without input, sets the feed level to INST. This results in enabling the inst, api, and syscall feeds.Alternatively, A ZML string can be used to specify conditionsto set the feed level to INST. Multiple triggers can be specified by using this flag multiple times.

Default: []

--inst

Shortcut for setting the starting feed level to INST

Default: False

--func_feed

Provided without input, sets the feed level to FUNC. This results in enabling the func and syscall feeds.Alternatively, A ZML string can be used to specify conditionsto set the feed level to FUNC. Multiple triggers can be specified by using this flag multiple times.

Default: []

--func

Shortcut for setting the starting feed level to FUNC

Default: False

--syscall_feed

Provided without input, sets the feed level to SYSCALL. This results in enabling only the syscall feed.Alternatively, A ZML string can be used to specify conditionsto set the feed level to SYSCALL. Multiple triggers can be specified by using this flag multiple times. This is the default feed level.

Default: []

--syscall

Shortcut for setting the starting feed level to SYSCALL. This is a no-op since the default feel level is SYSCALL.

Default: False

--no_feeds

Provided without input, sets the feed level to NONE, disabling all feeds. Alternatively, A ZML string can be used to specify conditions to set the feed level to NONE. Multiple triggers can be specified by using this flag multiple times.

Default: []

limits

-t, --timeout

If specified, execution will end after TIMEOUT secondshave passed.

Default: 0

-m, --memlimit

Limits memory allocation to MEMLIMIT total mb.

Default: 0

networking

--dns

Simulate DNS response for all domains (resolve to 127.0.0.1)

Default: 0

filesystem

--virtual_filename

Emulated filename (if different from real filename).

--virtual_path

Emulated file path (optional). (default: ‘/home/admin/zelos_dir/’).

--sandbox
Specifies a permanent root directory for files to be written

to. By default, files that are created while executing Zelos are written to a temporary directory that is deleted when Zelos finishes executing. Use this flag to retain files written during execution.

--mount

[Experimental] Mount the specified file or path into the emulated root filesystem. Format: ‘–mount ARCH,DEST,SRC’. ARCH is ‘x86’, ‘x86-64’, ‘arm’, or ‘mips’. DEST is the emulated path to mount. SRC is the absolute host path to the file or directory to mount. Can be specified multiple times to mount multiple files.

Default: []

-ev, --env_vars

Emulated environment variables. ENV_VARS is a key value pair of the form KEY=VALUE. Can be specified multiple times to set multiple environment variables. Format: ‘–env_vars FOO=bar –env_vars ZERO=point’.

Default: {}

clock

--date

Emulated system date. Format: YYYY-MM-DD. (default: ‘2019-02-02’)

Default: “2019-02-02”

/home/docs/checkouts/readthedocs.org/user_builds/zelos/envs/v0.2.0/lib/python3.7/site-packages/zelos/ext/platforms/linux/linux.py

--linux_rootfs

Specify the rootfs directory for an emulated architecture. Can be specified multiple times to set the rootfs for different architectures, and the appropriate rootfs will be used during emulation. Format: ‘–linux_rootfs ARCH,PATH’. ARCH is ‘x86’, ‘x86-64’, ‘arm’, or ‘mips’. PATH is the absolute host path to the directory to be used as rootfs.

Default: []

/home/docs/checkouts/readthedocs.org/user_builds/zelos/envs/v0.2.0/lib/python3.7/site-packages/zelos/ext/plugins/trace.py

--trace_off

Turns off printing on the command line

Default: False

--trace_file

Writes the trace to a file instead of the command line.

--fasttrace

Enable instruction-level tracing only the first time a memory address is reached.

Default: 0

/home/docs/checkouts/readthedocs.org/user_builds/zelos/envs/v0.2.0/lib/python3.7/site-packages/zelos/ext/plugins/overlay/overlay.py

--export_mem

Export memory regions.

Default: False

--export_trace

Export dynamic trace data.

Default: False

/home/docs/checkouts/readthedocs.org/user_builds/zelos/envs/v0.2.0/lib/python3.7/site-packages/zelos/ext/plugins/syscall_limiter.py

--syscall_limit

Stop execution after SYSCALL_LIMIT syscalls are executed.

Default: 0

--syscall_thread_limit

End THREAD after SYSCALL_THREAD_LIMIT syscalls are executed in that thread

Default: 0

--syscall_thread_swap

Swap threads after every SYSCALL_THREAD_SWAP syscalls are executed

Default: 100

--rep_syscall_print_limit

After repeating this number of times, syscall printing is temporarily disabled.

Default: 50

/home/docs/checkouts/readthedocs.org/user_builds/zelos/envs/v0.2.0/lib/python3.7/site-packages/zelos/ext/plugins/yarascan/yarascan.py

--yara_file

Scan memory for yara rules in the specified file(s)

Default: []

--yara_file_glob

Scan memory for yara rules in all files specified by the given glob

--yara_rule

Scan memory for the specified yara rule string(s).

Default: []

--yara_outfile

Dump matches to the specified YAML file.

--yara_pid

Only scan memory in the specified pid, otherwise scan all.

--yara_memdump

Dump matching memory regions to file in the specified directory.

--yara_brief

Only dump the list of matching rules, exclude match string details.

Default: False

--yara_xrefs

Count memory cross-references (pointers) for each match.

Default: False

--yara_max

Maximum number of yara matches per region (default: unlimited).