{"id":14161,"date":"2026-07-09T04:03:56","date_gmt":"2026-07-09T04:03:56","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/09\/33138\/"},"modified":"2026-07-09T04:03:56","modified_gmt":"2026-07-09T04:03:56","slug":"33138","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/09\/33138\/","title":{"rendered":"My Stack Simulator, (Wed, Jul 8th)"},"content":{"rendered":"<p>    My Stack Simulator, (Wed, Jul 8th)<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The stack is a memory region where a program stores temporary data &#8211;\u00a0like local variables and return addresses. Think of the stack as a pile of plates in your kitchen: you can only add a new plate to the top, and you can only take one away from the top too. Programs use this same &#8220;last in, first out&#8221; principle to keep track of what they&#8217;re doing. Every time a function is called, the program pushes a new plate onto the stack containing things like local variables and the address to return to once the function finishes. When the function is done, that plate is popped off the top, and execution resumes exactly where it left off. This simple mechanism is what allows programs to call functions within functions within functions, and always find their way back &#8211;\u00a0but it&#8217;s also precisely why a stack that grows too large, or gets overwritten with unexpected data, becomes a favorite target for attackers looking to hijack a program&#8217;s execution flow.<\/p>\n<p>In the SANS class FOR610[<a href=\"https:\/\/www.sans.org\/cyber-security-courses\/reverse-engineering-malware-malware-analysis-tools-techniques\">1<\/a>] (malware analysis), there is an introduction to assembly and, when students learn how functions work, they have to understand how the stack also works. If you\u2019ve no prior experience, it could be a bit challenging. To help students to vizualise how the stack works, I created a \u201cstack simulator\u201d that allows to \u201csee\u201d what\u2019s happening when code is executed.<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260708-1.png?ssl=1\" style=\"width: 600px; height: 809px;\"><\/p>\n<p>How does it work?<\/p>\n<ol>\n<li>Select the architecture (32-64 bits) in the assembly editor<\/li>\n<li>Select a predefined set of instructions (\u201clesson\u201d, \u201ccall\u201d, \u201cprologue\u201d, \u2026).<\/li>\n<li>Click on \u201cStep\u201d to you can see the impact on the stack and registers (like in a debugger).<\/li>\n<\/ol>\n<p>Note that you can modify the predefined ASM code and add your own instructions.<\/p>\n<p>The stack simulator is available on my website[<a href=\"https:\/\/xameco.be\/stack-simulator.html\">2<\/a>].<\/p>\n<p>If you\u2019re interested\u00a0in malware analysis, my next classes will be:<\/p>\n<ul>\n<li>SANS Tokyo Autumn 2026 [<a href=\"https:\/\/www.sans.org\/cyber-security-training-events\/tokyo-autumn-2026\">3<\/a>]<\/li>\n<li>SANS Paris November 2026 [<a href=\"https:\/\/www.sans.org\/cyber-security-training-events\/paris-november-2026\">4<\/a>]<\/li>\n<\/ul>\n<p>[1]\u00a0<a href=\"https:\/\/www.sans.org\/cyber-security-courses\/reverse-engineering-malware-malware-analysis-tools-techniques\">https:\/\/www.sans.org\/cyber-security-courses\/reverse-engineering-malware-malware-analysis-tools-techniques<\/a><br \/>\n[2]\u00a0<a href=\"https:\/\/xameco.be\/stack-simulator.html\">https:\/\/xameco.be\/stack-simulator.html<\/a><br \/>\n[3] <a href=\"https:\/\/www.sans.org\/cyber-security-training-events\/tokyo-autumn-2026\">https:\/\/www.sans.org\/cyber-security-training-events\/tokyo-autumn-2026<\/a><br \/>\n[4] <a href=\"https:\/\/www.sans.org\/cyber-security-training-events\/paris-november-2026\">https:\/\/www.sans.org\/cyber-security-training-events\/paris-november-2026<\/a><\/p>\n<p><b>Xavier Mertens (@xme)<\/b><br \/>\n<a href=\"https:\/\/xameco.be\/\">Xameco<\/a><br \/>\nSenior ISC Handler &#8211; Freelance Cyber Security Consultant<br \/>\n<a href=\"https:\/\/raw.githubusercontent.com\/xme\/pgp\/refs\/heads\/main\/public.key\">PGP Key<\/a><\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/33138\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>My Stack Simulator, (Wed, Jul 8th) The stack is a memory region where a program stores temporary data &#8211;\u00a0like local variables and return addresses. Think of the stack as a pile of plates in your kitchen: you can only add a new plate to the top, and you can only take one away from the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-14161","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14161"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14161"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14161\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}