Argos is an advertised honeypot using dynamic taint analysis to detect and
analysis control flow attacks.
For more info on Argos you can visit http://www.few.vu.nl/argos

In this extension I have implemented payload analysis functionality that
detects the execution of a payload and captures run-time information for 
further analysis as part of my master thesis.
The run-time information captured includes the execution trace, the memory
references, the CPU state, and optionally the stage of the instructions.

A stage references the number of unpacking that has occurred.
Every byte of the captured execution trace initially starts with stage zero and
every time the payload writes a byte to memory that bytes has a stage equal to
the stage of the read byte plus one.

The stage can be used to detect the various parts of the payload.
Instructions with stage zero belong to the NOP-sled and first unpacker,
instructions with a stage greater than zero but smaller than the maximum stage
in the execution trace belong to various unpackers, and the instructions with
the greatest stage belong to the shell-code.

For more information on the implementation see my thesis and slides in the doc
directory.