Abstract: The traditional proactive defense software based on HOOK Kernel code can't defend effectively to the high risk of malicious code after releasing malicious drivers.So based on existing virus behavior analysis and pattern recognition technology, we put forward a new proactive defense model based on Hardware virtualization.It describes in detail the main structure and realization of active defense system of hardware virtualization, the division of the module and the principle of realization of the system function, the behavior of Windows monitoring, the black and white lists and so on, all the Implementation of key technologies.It can undertake the behavior detection defense from the perspective of lower-level, and it can also achieve high strength of the self-protection through the shadow page table.