Abstract: To research the existing techniques of scanning process space in Windows, new methods different from traditional technology using structure scanning to unearth process space deeply was brought forth. These methods use of the inherent characteristics of process based on the important data structures in RAM, especially VAD binary tree and stack for specific function, then realize the extraction of key information. Experiments show that these methods are of higher reliability and efficiency.