Zelos is a Python-based binary emulation and instrumentation platform that enables dynamic analysis of Linux and embedded binaries through syscall emulation and CPU virtualization.
A comprehensive binary emulation and instrumentation platform.
Zelos is primarily used by security researchers and reverse engineers to quickly analyze the dynamic behavior of binaries in a controlled, emulated environment without executing them on a real system. It supports multiple architectures and allows automation via command-line or Python scripts, making it ideal for exploitation testing, forensic analysis, and security automation.
Zelos requires Python and Unicorn engine dependencies; using a virtual environment is recommended to avoid package conflicts. Its syscall emulation isolates binaries from the host system, enhancing safety during dynamic analysis. Users can extend functionality via plugins for advanced use cases like symbolic execution and remote debugging.
Create a Python virtual environment (optional but recommended): python3 -m venv ~/.venv/zelos
Activate the virtual environment: source ~/.venv/zelos/bin/activate
Install zelos using pip: pip install zeloszelos my_binary
Emulate a binary with default options
zelos --inst my_binary
Emulate a binary and display the instructions being executed
zelos --inst --fasttrace my_binary
Display only the first execution of each instruction instead of every execution
zelos --trace_file path/to/file my_binary
Write syscall traces to a specified file instead of stdout
zelos my_binary arg1 arg2
Pass command line arguments to the emulated binary
import zelos z = zelos.Zelos("my_binary") z.start(timeout=3)
Programmatically start emulation of a binary with a timeout using the Python API