Originally published April 3, 2007 on OpenRCE.
Here is a simple IDA trick that I use for shellcode analysis. API functions in shellcode are typically looked up dynamically based upon the DLL's base address and a 32-bit hash of the function's name (GetProcAddress via hashing), like such:
seg000:00000268 push 0EC0E4E8Eh ; is actually LoadLibraryA seg000:0000026D push eax seg000:0000026E call sub_29D
The most commonly-seen API hashing function is the following one:
seg000:000002C6 loc_2C6: seg000:000002C6 lodsb seg000:000002C7 test al, al seg000:000002C9 jz short loc_2D2 seg000:000002CB ror edi, 0Dh seg000:000002CE add edi, eax seg000:000002D0 jmp short loc_2C6
Since shellcode often makes use of well-known subsets of the Windows API (such as WinExec, CreateProcess, CreateFile, MapViewOfFile, the sockets API, the wininet API, etc), it is often obvious from the context which API functions are being used. Nevertheless, occasionally you'll have to reverse a hash into an API name, and that can quickly become annoying.
My solution to this is a small python script, based upon Ero's pefile, that creates an IDC declaration of an IDA enumeration for each DLL. The enum serves as a mapping between each exported name and its hash. Since the API hashing function may change, the Python function to do this is extensible via a function pointer which defaults to the standard hash presented above.
After creating the IDC script and loading it into IDA, simply press 'm' with your cursor over the hash value. IDA will either find the hash in one of the enumerations or tell you that it can't find it, in which case either your hash function implementation is buggy, or the function lies inside of a DLL whose hashed export names are not yet loaded as an enum. A successful result is:
seg000:00000268 push kernel32_apihashes_LoadLibraryA seg000:0000026D push eax seg000:0000026E call sub_29D
One nice thing about this method is that IDA will search all loaded enumerations for the hash value. I.e. you don't need to tell IDA which DLL base address is being passed as arg_0: if it knows the hash, it will tell you both the name of the export and the name of the enumeration that it came from. Using a named enumeration element eliminates the need for a comment at each API call site. Another nice thing is that, since the hash presented above is so common, you can create the enumerations once and put them into a big 'shellcode.idc' file and then immediately apply them to any shellcode using this hash (such as some recent in-the-wild ANI exploits, or the HyperUnpackMe2 VM from my most recent OpenRCE article) without missing a beat.
Porting everything to IDAPython and thereby removing the dependency upon the IDC script is left as a simple exercise for the reader.