A malicious code tracking and recognizing method based on memory protection type monitoring includes the following steps that 1, a developed dynamic link library is injected into a target process; 2, vectorization manipulation function take-over anomaly is applied and used for conducting abnormal segment static analysis and dynamic analysis; 3, the interface function of memory protection attribute is hijacked and modified; 4, whether each call is located in stack space or not is detected; 5, whether the parameter of each call includes an attribute tag or not is judged; 6, for the interface function call of modifying the memory protection attribute into an executable attribute, the executable protection tag location is eliminated; 7, the parameter environment called by the interface function this time is recorded; 8, the original interface function is called so that the program can operate normally; 9, vulnerability attack finding is reported. By means of the steps, the effect of recognizing malicious code (shellcode) in the vulnerability attack process is achieved, and the problems that in the prior art, protection coverage area is small, and compatibility is low are solved.