Abstract: When remote control channel can not be established, the method to obtain the IP address of the hacker host is studied in this paper. Research method is to use sniffer to capture the "victim" host communication data, analyze the captured data, determine communication mode and state of hacker host and summarize the method to obtain the IP address of hacker host in different states. Both mode of horse refresh IP address are studied. When hacker host is down or stop the Trojans control program, hackers host IP address can be obtained.