Flags¶
Available Flags & Usage¶
usage: zelos [-h] [-c CONFIG] [--virtual_filename VIRTUAL_FILENAME]
[--virtual_path VIRTUAL_PATH] [--log LOG] [--dns] [-t TIMEOUT]
[-m MEMLIMIT] [--inst_feed [ZML_STRING]] [--inst]
[--func_feed [ZML_STRING]] [--func] [--syscall_feed [ZML_STRING]]
[--syscall] [--no_feeds [ZML_STRING]] [--writetrace WRITETRACE]
[--date DATE] [--startat STARTAT] [--disableNX] [--log_exports]
[--sandbox SANDBOX] [--mount MOUNT] [-ev KEY=VALUE]
[--linux_rootfs LINUX_ROOTFS] [--trace_off]
[--trace_file TRACE_FILE] [--fasttrace] [--export_mem]
[--export_trace] [--syscall_limit SYSCALL_LIMIT]
[--syscall_thread_limit SYSCALL_THREAD_LIMIT]
[--syscall_thread_swap SYSCALL_THREAD_SWAP]
[--rep_syscall_print_limit REP_SYSCALL_PRINT_LIMIT]
[--yara_file YARA_FILE] [--yara_file_glob YARA_FILE_GLOB]
[--yara_rule YARA_RULE] [--yara_outfile YARA_OUTFILE]
[--yara_pid YARA_PID] [--yara_memdump YARA_MEMDUMP]
[--yara_brief] [--yara_xrefs] [--yara_max YARA_MAX]
filename [cmdline_args [cmdline_args ...]]
Positional Arguments¶
- filename
Executable to emulate
- cmdline_args
Arguments to the executable
Named Arguments¶
- -c, --config
config file path
- --startat
[Experimental] Start execution at the given hex address.
- --disableNX
Disable the no-execute bit. All memory becomes executable.
Default: False
logging¶
- --log
Decide what level of logging should be used. LOG is ‘info’, ‘verbose’, ‘debug’, ‘spam’, ‘notice’, ‘warning’, ‘success’, ‘error’, or ‘fatal’. (default: ‘info’)
Default: “info”
- --writetrace
Print a message every time a value at the given memory location is written.
Default: “”
- --log_exports
Enable logging of calls to exported functions. (default: off)
Default: False
feeds¶
- --inst_feed
Provided without input, sets the feed level to INST. This results in enabling the inst, api, and syscall feeds.Alternatively, A ZML string can be used to specify conditionsto set the feed level to INST. Multiple triggers can be specified by using this flag multiple times.
Default: []
- --inst
Shortcut for setting the starting feed level to INST
Default: False
- --func_feed
Provided without input, sets the feed level to FUNC. This results in enabling the func and syscall feeds.Alternatively, A ZML string can be used to specify conditionsto set the feed level to FUNC. Multiple triggers can be specified by using this flag multiple times.
Default: []
- --func
Shortcut for setting the starting feed level to FUNC
Default: False
- --syscall_feed
Provided without input, sets the feed level to SYSCALL. This results in enabling only the syscall feed.Alternatively, A ZML string can be used to specify conditionsto set the feed level to SYSCALL. Multiple triggers can be specified by using this flag multiple times. This is the default feed level.
Default: []
- --syscall
Shortcut for setting the starting feed level to SYSCALL. This is a no-op since the default feel level is SYSCALL.
Default: False
- --no_feeds
Provided without input, sets the feed level to NONE, disabling all feeds. Alternatively, A ZML string can be used to specify conditions to set the feed level to NONE. Multiple triggers can be specified by using this flag multiple times.
Default: []
limits¶
- -t, --timeout
If specified, execution will end after TIMEOUT secondshave passed.
Default: 0
- -m, --memlimit
Limits memory allocation to MEMLIMIT total mb.
Default: 0
networking¶
- --dns
Simulate DNS response for all domains (resolve to 127.0.0.1)
Default: 0
filesystem¶
- --virtual_filename
Emulated filename (if different from real filename).
- --virtual_path
Emulated file path (optional). (default: ‘/home/admin/zelos_dir/’).
- --sandbox
- Specifies a permanent root directory for files to be written
to. By default, files that are created while executing Zelos are written to a temporary directory that is deleted when Zelos finishes executing. Use this flag to retain files written during execution.
- --mount
[Experimental] Mount the specified file or path into the emulated root filesystem. Format: ‘–mount ARCH,DEST,SRC’. ARCH is ‘x86’, ‘x86-64’, ‘arm’, or ‘mips’. DEST is the emulated path to mount. SRC is the absolute host path to the file or directory to mount. Can be specified multiple times to mount multiple files.
Default: []
- -ev, --env_vars
Emulated environment variables. ENV_VARS is a key value pair of the form KEY=VALUE. Can be specified multiple times to set multiple environment variables. Format: ‘–env_vars FOO=bar –env_vars ZERO=point’.
Default: {}
clock¶
- --date
Emulated system date. Format: YYYY-MM-DD. (default: ‘2019-02-02’)
Default: “2019-02-02”
/home/docs/checkouts/readthedocs.org/user_builds/zelos/envs/v0.2.0/lib/python3.7/site-packages/zelos/ext/platforms/linux/linux.py¶
- --linux_rootfs
Specify the rootfs directory for an emulated architecture. Can be specified multiple times to set the rootfs for different architectures, and the appropriate rootfs will be used during emulation. Format: ‘–linux_rootfs ARCH,PATH’. ARCH is ‘x86’, ‘x86-64’, ‘arm’, or ‘mips’. PATH is the absolute host path to the directory to be used as rootfs.
Default: []
/home/docs/checkouts/readthedocs.org/user_builds/zelos/envs/v0.2.0/lib/python3.7/site-packages/zelos/ext/plugins/trace.py¶
- --trace_off
Turns off printing on the command line
Default: False
- --trace_file
Writes the trace to a file instead of the command line.
- --fasttrace
Enable instruction-level tracing only the first time a memory address is reached.
Default: 0
/home/docs/checkouts/readthedocs.org/user_builds/zelos/envs/v0.2.0/lib/python3.7/site-packages/zelos/ext/plugins/overlay/overlay.py¶
- --export_mem
Export memory regions.
Default: False
- --export_trace
Export dynamic trace data.
Default: False
/home/docs/checkouts/readthedocs.org/user_builds/zelos/envs/v0.2.0/lib/python3.7/site-packages/zelos/ext/plugins/syscall_limiter.py¶
- --syscall_limit
Stop execution after SYSCALL_LIMIT syscalls are executed.
Default: 0
- --syscall_thread_limit
End THREAD after SYSCALL_THREAD_LIMIT syscalls are executed in that thread
Default: 0
- --syscall_thread_swap
Swap threads after every SYSCALL_THREAD_SWAP syscalls are executed
Default: 100
- --rep_syscall_print_limit
After repeating this number of times, syscall printing is temporarily disabled.
Default: 50
/home/docs/checkouts/readthedocs.org/user_builds/zelos/envs/v0.2.0/lib/python3.7/site-packages/zelos/ext/plugins/yarascan/yarascan.py¶
- --yara_file
Scan memory for yara rules in the specified file(s)
Default: []
- --yara_file_glob
Scan memory for yara rules in all files specified by the given glob
- --yara_rule
Scan memory for the specified yara rule string(s).
Default: []
- --yara_outfile
Dump matches to the specified YAML file.
- --yara_pid
Only scan memory in the specified pid, otherwise scan all.
- --yara_memdump
Dump matching memory regions to file in the specified directory.
- --yara_brief
Only dump the list of matching rules, exclude match string details.
Default: False
- --yara_xrefs
Count memory cross-references (pointers) for each match.
Default: False
- --yara_max
Maximum number of yara matches per region (default: unlimited).