Skip to main content

Function Overview

Functions are fundamental units of code organization in Ghidra, representing callable subroutines with defined entry points, parameters, and return values.
The FunctionPlugin provides comprehensive actions for creating, editing, and deleting functions and their variables.

Creating Functions

Manual Function Creation

1

Position Cursor

Navigate to function entry point:
  • Place cursor on first instruction
  • Should be a typical function prologue
  • Or known entry point from analysis
2

Create Function

Execute create action:
  • Press F key
  • Right-click > Function > Create Function
  • Menu: Function > Create Function
3

Verify Boundaries

Check function extent:
  • Ghidra analyzes code flow
  • Determines function body
  • Identifies return points
  • Marks function in Symbol Tree
For best results, ensure the code is properly disassembled before creating functions.

Automatic Function Detection

Auto-analysis creates functions automatically:
  • Entry point analysis
  • Call target analysis
  • Pattern-based detection
  • External references

Creating Multiple Functions

1

Select Range

Select addresses for functions:
  • Highlight multiple entry points
  • Can span discontinuous ranges
2

Bulk Create

Use CreateMultipleFunctionsAction:
  • Right-click > Function > Create Multiple Functions
  • Creates function at each selected address
  • Useful for function tables

Function Properties

Function Signature

A complete function signature includes:
Function return value:
  • Data type returned
  • void for no return
  • Set via SetReturnDataTypeCmd
  • Affects decompiler output

Editing Signatures

1

Open Editor

Access function signature editor:
  • Press Ctrl + Shift + G on function
  • Right-click function > Edit Function Signature
  • Double-click in Function Window
2

Modify Components

Edit signature parts:
  • Change return type via dropdown
  • Add/remove/reorder parameters
  • Rename parameters
  • Set calling convention
3

Apply Changes

Commit modifications:
  • Click OK to apply
  • Signature updates immediately
  • Decompiler refreshes
  • Call sites may update
Use ApplyFunctionSignatureCmd programmatically to set signatures from scripts or analysis.

Function Variables

Variable Types

Function inputs:
  • Passed in registers or stack
  • Named in signature
  • Typed for analysis
  • Accessed in function body

Renaming Variables

1

Select Variable

Find variable to rename:
  • In decompiler view
  • Or in function editor
  • Click on variable name
2

Rename Action

Execute rename:
  • Press L in decompiler
  • Right-click > Rename Variable
  • Implemented by EditNameAction
3

Enter Name

Provide meaningful name:
  • Descriptive of purpose
  • Follows naming conventions
  • Updates throughout function

Retyping Variables

1

Select Variable

Choose variable to retype
2

Choose Type

Select new data type:
  • Press Ctrl + L in decompiler
  • Browse Data Type Manager
  • Select appropriate type
3

Observe Propagation

Type changes affect:
  • Variable declaration
  • Related casts and conversions
  • Decompiler structure interpretation
  • Downstream type inference

Variable Comments

1

Add Comment

Document variables:
  • Right-click variable > Set Comment
  • Implemented by VariableCommentAction
  • Appears in function display
2

Delete Comment

Remove documentation:
  • Right-click > Delete Comment
  • Uses VariableCommentDeleteAction

Function Window

View all functions in a table:
1

Open Function Window

Access function list:
  • Window > Functions
  • Shows all program functions
  • Sortable columns
2

Navigate Functions

Use the table:
  • Click to navigate to function
  • Sort by name, address, size
  • Filter functions
  • Export function list

Table Columns

Function table displays:
  • Name: Function symbol name
  • Location: Entry point address
  • Size: Function body size in bytes
  • Parameter Count: Number of parameters
  • Namespace: Containing namespace/class
  • Source: Analysis source type

Advanced Function Operations

Thunk Functions

Thunks are forwarding functions:
1

Identify Thunk

Recognize thunk pattern:
  • Simple jump to another function
  • No actual logic
  • Common in import tables
2

Create Thunk

Mark as thunk:
  • Right-click > Function > Create Thunk Function
  • Implemented by thunkFunctionAction
  • Links to target function
3

Edit Thunk

Modify thunk properties:
  • Use EditThunkFunctionAction
  • Change thunk target
  • Update calling convention
4

Revert Thunk

Convert back to normal:
  • RevertThunkFunctionAction
  • Becomes regular function
  • Body can be analyzed

External Functions

Functions in external libraries:
1

Create External Function

Define library function:
  • Use CreateExternalFunctionAction
  • Specify library name
  • Set function name
2

Link to Library

Associate with external:
  • Links to external symbol
  • Can import signature
  • Affects call analysis

Function Purge

For stack cleanup (x86 stdcall):
  • Bytes popped by callee
  • Determined by calling convention
  • Affects stack balance analysis

Function Analysis

Call Trees

Visualize function relationships:
1

View Callers

See what calls this function:
  • Right-click function > References > Show Call Trees to...
  • Tree view of callers
  • Navigate call hierarchy
2

View Callees

See what this function calls:
  • Right-click > References > Show Call Trees from...
  • Tree of called functions
  • Analyze dependencies
Use PrintFunctionCallTreesScript.java to export call trees for documentation.

Stack Frame Analysis

Ghidra analyzes stack usage:
  • Local variable allocation
  • Stack parameter access
  • Saved registers
  • Stack frame size

Register Analysis

Register usage tracking:
  • Modified registers
  • Parameter registers
  • Return value registers
  • Preserved registers

Function Tags

Organize functions with tags:
1

Create Tags

Define tag categories:
  • Via FunctionTagPlugin
  • Custom tag names
  • Color coding
2

Apply Tags

Tag functions:
  • Right-click function > Edit Tags
  • Select applicable tags
  • Multiple tags per function
3

Filter by Tags

Find tagged functions:
  • Filter in Function Window
  • Group by tag
  • Analysis organization

Deleting Functions

1

Select Function

Position on function to delete:
  • Cursor in function body
  • Or select in Symbol Tree
2

Delete Action

Remove function:
  • Right-click > Function > Delete Function
  • Uses DeleteFunctionAction
  • Confirms deletion
3

Cleanup

After deletion:
  • Code remains disassembled
  • Function boundary removed
  • Symbol deleted
  • Can recreate if needed
Deleting a function doesn’t delete the code - only the function metadata. The instructions remain in the program.

Special Function Types

No-Return Functions

Functions that never return:
  • exit(), abort(), exception throwers
  • Mark with no-return attribute
  • Affects control flow analysis
  • Use FixupNoReturnFunctionsScript.java

Inline Functions

Marking for inline expansion:
  • Set inline attribute
  • Use MakeFunctionsInlineVoidScript.java
  • Affects call graph display

Variadic Functions

Variable argument count:
  • printf, sprintf, etc.
  • Mark with varargs attribute
  • Special parameter handling
Properly marking special function types significantly improves analysis accuracy and decompiler output quality.

Build docs developers (and LLMs) love

Get started for freeTalk to us