The detection tools can judge whether the virtual machine is under attack or not through detecting the hidden files. The traditional file detection tools reside in the monitored virtual machine, which are vulnerable to attack by the malicious software. According to the virtual machine introspection, a modularized virtual machine file detection method(FDM) is designed and implemented. With the operating system kernel knowledge, FDM can parse the physical hardware and build the semantic view of the files. Then FDM can identify the hidden files by comparing with the internal file list. Meanwhile, parsing hardware status and obtaining semantic information are implemented in different modules. FDM has not only the tamper resistance of the virtual machine introspection, also has a modular architecture, portability and efficiency The experimental results show that the FDM can quickly and accurately detect the hidden filesinside virtual machine.