A method, a system, and an apparatus for detecting malicious code to solve the problem that detection efficiency is low and that more resources are occupied. The method includes: monitoring execution of an instruction in a virtual machine supervisor of a host computer, where the instruction is generated in escape mode when a read-write request generated during execution of program code in a virtual machine of the host computer is delivered to the virtual machine supervisor; obtaining execution characteristics of the program code according to execution of the instruction; and comparing the obtained execution characteristics with pre-stored execution characteristics of known malicious code, and determining that the program code is malicious code when the obtained execution characteristics and the pre-stored execution characteristics are the same. This improves the detection efficiency, and saves the storage resources and the processing resources in the host computer.