The invention relates to a method for detecting kernel data attack behaviors of an operating system, and belongs to the technical field of computer and information science. The method aims to solve the problems that an existing operating system kernel data attack behavior detection method is insufficient in detection comprehensiveness, cannot intercept attack behaviors, depends on kernel source codes and the like. The method comprises the following steps: firstly, positioning and hijacking a specific kernel function by utilizing a synchronous detection mechanism and a semantic reconstruction technology so as to accurately obtain a kernel running state and calculate a legal data access range of a current kernel process; secondly, setting read-write access permission of a memory page by utilizing a virtualization shadow page table permission management mechanism, setting kernel data outside a legal access range to be read-only or unreadable, and performing strong constraint on a data access range of a kernel process; and finally, realizing synchronous detection of attack behaviors by using a memory page exception mechanism so as to resist transient attacks, and intercepting the detected kernel data attack behaviors by using a virtual machine monitor.