Due to the high detection accuracy of dynamic simulation in which network traffic is sent to the emulator as executable code to detect suspicious behaviour, static analysis has become less popular. Earlier static shellcode detection methods are mainly based on statistical method which focus on instruction abstract features or byte patterns. Although these method can be used for detection, it can’t guarantee the detection effect.It is hard for both of them to locate the position of shellcode. However, a new static analysis based approach is proposed in this paper. The shellcode instructions rely heavily on contextual information, so we use static disassembly to capture the fine-grained malicious mode of registers. In order to enhance the detection performance, several rules are designed based on the characteristics of the shellcode. Experimental results show that our method has certain potential, which may show better effects when combined with other shellcode detection methods.