Fugu is a web-based binary analysis lab: a Next.js 16 dashboard that plates angr telemetry like a nutrition label, lets you inspect taint flows in a call-graph aquarium, and pipes a DSL-driven patch kitchen straight into the browser.
- Binary Nutrition Facts —
BinaryFactsLabelrenders file metadata, sections, protection bits, and entropy just like a cereal label. - Ransomware, Crypto, and IoC trays —
RansomwareIndicatorsCard,CryptoUsageCard,IoCPanel, andFilesystemBehaviorCardturn raw telemetry into snackable diagnostics. - Call Graph Aquarium —
CallGraphViewblendsreact-force-graph-2dwith IoC pills, simulations, and taint overlays so you can follow suspicious swim lanes. - Query & Patch Lab —
components/query-workbench.tsxtalks to/api/query, runs the Python DSL (fugu/query_dsl.py), logs patches in SQLite, and lets you apply them without leaving the UI. - Sim Vault & Patch Pantry —
/api/simulationsand/api/patchespersist path simulations and mutations indata/*.db, so your telemetry survives refreshes and demos.
- Frontend — Next.js 16, React 19, Tailwind 4, and Lucide icons live in
app/andcomponents/.app/page.tsxhandles polling, tab state, and the brutalist treatment. - Binary store —
app/api/binary/route.tskeeps the UI hot by writing telemetry into an in-memory store (lib/binary-store.ts) that mirrors the last POST. - Persistence —
lib/patch-db.tsandlib/simulation-db.tsusebetter-sqlite3to write intodata/patches.db+data/simulations.db. WAL is enabled so it works out-of-the-box. - DSL & patch pipeline —
/api/queryspawnspython -m fugu.query_dsl, streams the current snapshot via stdin, then logs patch operations or newly generated path simulations. - Patch application —
/api/patches/applyspawnspython -m fugu.patch_apply, writes patched binaries toFUGU_PATCH_OUTPUT_DIR(or next to the original), and marks rows as applied. - Python brain —
fugu/wraps angr for collection (fugu/main.py), the DSL engine, patch helpers, and requirements for a slim venv.
- Node.js 20+ and
pnpm8+ - Python 3.10+ with
pip - macOS/Linux (Windows works via WSL or a shell that can run the scripts below)
pnpm install
python3 -m venv .venv
source .venv/bin/activate
pip install -r fugu/requirements.txtTip: set PYTHON_BIN and/or VIRTUAL_ENV if your Python lives somewhere else—lib/python.ts will pick it up automatically.
pnpm dev
# visit http://localhost:3000Useful scripts: pnpm lint, pnpm build, and pnpm start.
/api/binary is the single ingestion endpoint. Send a POST with as much telemetry as you have—the UI turns on whenever hasData is true. The /test helper page (app/test/page.tsx) can send a curated payload or copy a ready-made curl command.
curl -X POST http://localhost:3000/api/binary \
-H "Content-Type: application/json" \
-d '{
"binaryId": "demo-id",
"binaryPath": "/tmp/demo.bin",
"binaryData": { "name": "demo.bin", "format": "ELF", "architecture": "x86_64" },
"callGraph": [{ "id": "main", "name": "main", "calls": ["decrypt_payload"] }],
"ransomwareProfile": {...},
"iocs": {"items": []},
"cryptoUsage": {...},
"filesystemBehavior": {...},
"simulations": [],
"malwareFamilies": [],
"taintSummary": null
}'GET /api/binary is polled every 2 seconds via useSWR so the dashboard updates automatically.
components/query-workbench.tsx sends whatever you type to /api/query, which pipes it to python -m fugu.query_dsl. Highlights:
QUERY sections WHERE entropy > 7
QUERY imports WHERE name CONTAINS "mutex"
SIMULATE PATH FROM main DEPTH 120 LIMIT 2
SIMULATE MUTATE security TOGGLE nx
PATCH MUTATE security SET nx = true
QUERYreturns filtered data with counts.SIMULATE PATHrecords traversals and saves them in SQLite so the Call Graph tab can highlight them.SIMULATE MUTATEpreviews structural or metadata changes.PATCH MUTATElogs operations; the Patch Log (PatchLogPanel) lets you apply, clear, or review batches.
| Endpoint / file | Purpose |
|---|---|
POST /api/binary (app/api/binary/route.ts) |
Accepts telemetry, warms the in-memory store, and replaces simulation rows. |
GET /api/binary |
Returns the latest snapshot for the dashboard. |
POST /api/query (app/api/query/route.ts) |
Spawns the DSL engine, logs patches via lib/patch-db.ts, and persists simulations. |
GET /api/patches / DELETE /api/patches |
Lists or clears logged mutations for the active binary. |
POST /api/patches/apply |
Runs python -m fugu.patch_apply, writes a .patched binary, and stamps a batch ID. |
GET /api/simulations |
Reads historical simulations from data/simulations.db. |
fugu/main.py |
CLI that runs angr, emits telemetry, and can optionally boot pnpm dev via --start-ui. |
fugu/query_dsl.py / fugu/patch_apply.py |
DSL interpreter + patch helper that power the Query Lab. |
PYTHON_BIN— force a specific interpreter (helpful if angr lives in a system install).VIRTUAL_ENV— respected when resolving Python paths.FUGU_PATCH_OUTPUT_DIR— controls where patched binaries land (defaults to the original binary’s folder).
Set them inline (FUGU_PATCH_OUTPUT_DIR=/tmp/patched pnpm dev) or via .env.
Use the bundled helper to analyze a binary and post results straight into the dashboard:
python -m fugu.main serve --path ./binaries/evil.bin \
--endpoint http://localhost:3000/api/binary \
--start-ui--start-ui launches pnpm dev for you, creating an end-to-end Binary Nutrition tasting menu with a single command.
Now toss a suspicious sample into the tank, watch the Binary Nutrition label light up, and enjoy how Fugu keeps analysis, simulation, and patching inside one neon theme.
