Abstract: The process behavior monitoring system TAC based on API Hook realized the transparent monitoring of the API calling behavior of the client process,using hook and memory protection technology.First,TAC intercepted API calls of process in virtual machines by setting the hook of the API function of the client virtual machine.Then the memory protection technology was used to hide and protect the client's hook,so as to ensure the transparency of the behavior monitoring to the client virtual machine,and used the isolation of the virtual machine manager to put the security tools in the security domain.On the one hand,it prevented malicious process detection and attack security tools.On the other hand,it solved the problem that malicious tenants use virtual machines to attack.Finally,API called interception technology and semantic reconstruction technology providing fine-grained monitoring for process in guest VM,such as process creation,file operations and registry operations.The experimental results show that:① the monitoring system can effectively intercept the API call of the client virtual machine process.Combining the semantic reconfiguration technology,the monitoring system can effectively monitor process creation,file operation,registry operation and so on.②The performance of TAC is 4.8% while it traces API call.③ In file monitoring,the TAC based on API Hook improves the performance by 73% relative to monitoring system existing interception system calls.