wtf
wtf is a distributed snapshot-based fuzzer for finding vulnerabilities in Windows and Linux targets by executing code within emulators or hypervisors and tracking code coverage. It supports user-mode and kernel-mode fuzzing with multiple execution backends (bochscpu, Windows Hypervisor Platform, KVM) and has been used to discover issues in IDA Pro, Windows kernel, and other high-profile software.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | 0vercl0k/wtf |
| Owner | 0vercl0k |
| Primary language | C++ |
| License | MIT — OSI-approved |
| Stars | 1.8k |
| Forks | 154 |
| Open issues | 27 |
| Latest release | v0.5.7 (2025-03-01) |
| Last updated | 2026-07-05 |
| Source | https://github.com/0vercl0k/wtf |
What wtf is
A C++ fuzzer implementing distributed architecture with coverage-guided test case generation, supporting snapshot-based execution with pluggable backends (bochscpu emulation, WinHv, KVM). Generates execution traces, code-coverage data, and corpus minimization; features custom fuzzer module hooks and multi-node orchestration via master/client topology.
Get the wtf source
Clone the repository and explore it locally.
git clone https://github.com/0vercl0k/wtf.gitcd wtf# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires creating a custom fuzzer module (C++ code hook) to define target entry point, input mutation strategy, and crash detection. Module development is non-trivial for complex targets.
- Snapshot creation workflow varies by backend (bochscpu, WinHv, KVM). Windows kernel fuzzing demands VM setup, driver loading, and breakpoint-based snapshot triggering; Linux experimental support may introduce compatibility gaps.
- Corpus management requires pre-populating `inputs` directory, configuring `max_len` and `runs` parameters, and understanding code-coverage collection (`outputs`, `coverage` folders). Minset workflow adds operational overhead.
- Execution tracing and symbolization are separate steps (via symbolizer-rs, Tenet, Lighthouse). Post-crash analysis tooling requires additional setup and domain knowledge.
- Master/client architecture demands network configuration (address binding, client discovery). Horizontal scaling requires coordinating multiple fuzz nodes; no built-in load balancing or orchestration layer.
When to avoid it — and what to weigh
- Requiring fast feedback loops on Linux — Linux mode is marked experimental. Use mainstream fuzzers (libFuzzer, AFL++) for Linux user-mode targets if speed is critical.
- Fuzzing highly interactive or long-running processes — Snapshot-based approach assumes clean state snapshots. Stateful services or targets requiring warm-up may require significant engineering to set up snapshot points.
- Small/resource-constrained teams without fuzzing expertise — Setup requires understanding snapshot mechanics, custom fuzzer module development, and VM/emulator configuration. Operational complexity is high compared to black-box fuzzers.
- Projects needing guaranteed stability or commercial support — No commercial support entity mentioned. Project is maintained by individual/small group. Not production-hardened; 27 open issues suggest active development with potential breaking changes.
License & commercial use
MIT License. Permissive OSI-approved license allowing unrestricted use, modification, and distribution for commercial and private purposes, subject only to license and copyright notice inclusion.
MIT license permits commercial use without restriction or royalty. However, no commercial support, SLA, or warranty is offered. Use in production security research or product development is the licensee's responsibility; no indemnification or liability waiver for vulnerabilities discovered or undiscovered.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Possible |
| Assessment confidence | High |
wtf executes untrusted fuzzer-generated inputs within isolated emulator/VM environments; hypervisor isolation provides containment. Backend choice affects exposure: bochscpu (emulation) is slowest but most isolated; WinHv/KVM share host kernel and may be vulnerable to VM escape or side-channel attacks if hypervisor is not patched. No security audit or threat model documented. Developers should: (1) keep host OS and hypervisor patched, (2) isolate fuzzing nodes on separate networks, (3) review custom fuzzer module code for logic bugs, (4) validate snapshot integrity. Crashes are logged to disk; sanitize crash dumps before sharing.
Alternatives to consider
libFuzzer + Sanitizers
Lightweight, battle-tested for continuous fuzzing of open-source code. Requires source instrumentation but provides faster feedback. No hypervisor overhead; best for Linux user-mode and platforms with compiler support.
AFL++ / AFL
Mature, widely-adopted black-box fuzzer for Linux/macOS. Simpler setup than wtf; excellent documentation and community. Less effective for kernel fuzzing or closed-source binaries without tracing hooks.
Syzkaller
Specialized for Linux kernel fuzzing; distributed architecture similar to wtf but optimized for syscall-based testing. Better for Linux kernel work; less suitable for Windows or binary protocol fuzzing.
Build on wtf with DEV.co software developers
wtf is ideal for security researchers and development teams tackling kernel drivers, closed-source binaries, and network protocols. Evaluate complexity with our expert team before committing resources to snapshot fuzzing infrastructure.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
wtf FAQ
Can I fuzz Linux kernels with wtf?
Do I need to modify target source code to use wtf?
What is the typical fuzzing speed?
How do I integrate wtf into CI/CD?
Custom software development services
Adopting wtf is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source testing software in production.
Ready to deploy advanced fuzzing?
wtf is ideal for security researchers and development teams tackling kernel drivers, closed-source binaries, and network protocols. Evaluate complexity with our expert team before committing resources to snapshot fuzzing infrastructure.