Due to software implementation flaws, such as buffer overflow and integer overflow, the flaws may further cause software vulnerabilities. We often take advantages of static analysis or dynamic testing to find these issues. However, because of incomplete testing coverage, software vulnerabilities are still uncovered, especially for large software systems. Therefore, secure programs are getting more and more attentions in recent years. In order to improve the finding process of software vulnerabilities, fuzz testing is a commonly used approach. Because traditional fuzz testing has no specific target for input data mutation, the testing is an unpredictable process with indefinite testing time. We propose to hook sensitive functions as the mutation target and use symbolic execution to automate the fuzzing process. If we can reach the sensitive functions with symbolic input, we will be able to collect all the constraints and schedule the selection of constraints to generate test cases, which can lead the program to the crash point. We have evaluated four software systems and produce crash inputs in 30 minutes, compared with the traditional fuzzing taking more than 500,000 seconds.