For the problem that current methods unable to capture and analyze the system call parameters and return values, a system for real-time monitoring of system calls in the guest was established based on Nitro. The system capture and analyze fast system call entry and exit instructions by modifying hardware specifications and rewriting instructions. After capturing the system call entry instruction, the parameters are parsed according to the context information of the VCPU and the semantic template of the system call; after the system call exit instruction is captured, the return value is parsed according to the VCPU register information. Compared with the similar capture system call method, experiments show that the system can capture the system call sequence in the guest in real time, and obtain complete system call information including system call name, system call number, parameters, and return value. The system can also distinguish between system calls generated by different processes and brings no more than 15% performance overhead to the host.