The invention relates to a malicious program behavior capture method based on the Qemu. The method is characterized in that a malicious program behavior capture module is directly inserted into a source code of the Qemu, a client operating system is installed on the Qemu, and then behavior capture is carried out on malicious program samples on the client operating system through the malicious program behavior capture module running in the Qemu. The method has the advantages that the malicious program behavior capture module is directly inserted into the source code of the Qemu, completely isolated from the samples running on the client operating system and located on the lower layer of the operating system, and in theory, the malicious program samples can not detect or escape the malicious program behavior capture module easily.