A virtual machine kernel protection method and apparatus are disclosed. The method includes: trapping a system call function initiated by an application program (S301); and pointing the system call function to a shadow kernel based on an offset value between a base address of an original kernel of a virtual machine and a base address of the shadow kernel, and determining a corresponding entry address of the system call function in the shadow kernel based on a shadow SSDT in the shadow kernel (S302), where the shadow kernel is constructed in a nonpaged pool of the original kernel of the virtual machine, and the shadow kernel is executable kernel code constructed based on an image file of the original kernel of the virtual machine.