State-of-the-art binary code analysis tools

The Functions list is probably one of the most familiar features of IDA’s default desktop layout. But even if you use it every day, there are things you may not be aware of.

Modal version

Available via Jump > Jump to function… menu, or the CtrlP shortcut, the modal dialog lets you see the full width of the list as well as do some quick navigation, for example:

  1. To jump to the current function’s start, use CtrlP, Enter;
  2. To jump to the previous function, use CtrlP, Up, Enter (also available as JumpPrevFunc action: default shortcut is CtrlShiftUp);
  3. To jump to the next function, use CtrlP, Down, Enter (also available as JumpNextFunc action: default shortcut is CtrlShiftDown).

Columns

As can be seen on the second screenshot, the Functions list has many more columns than Function name which is often the only one visible. They are described in the corresponding help topic. By clicking on a column you can ask IDA to sort the whole list on that column. For example, you can sort the functions by size to look for largest ones – the bigger the function, the more chance it has a bug; or you may look for a function with the biggest Locals area since it may have many buffers on the stack which means potential overflows.

If you sort or filter the list, you may see the following message in the Output window:

Caching 'Functions window'... ok

Because sorting requires the whole list, IDA has to fetch it and re-sort on almost any change in the database since it may change the list. On big databases this can become quite slow so once you don’t need sorting anymore, it’s a good idea to use “Unsort” from the context menu.

Synchronization

The list can be synchronized with the disassembly by selecting “Turn on synchronization” from the context menu. Once enabled, the list will scroll to the current function as you navigate in the database. You can also turn it off if you prefer to see a specific function in the list no matter where you are in the listing.

Folders

Since IDA 7.5, folders can be used to organize your functions. To enable, select “Show folders” in the context menu, then “Create folder with items…” to group selected items into a folder.

Colors & styles

Some functions in the list may be colored. In most cases the colors match the legend in the navigation bar:

  • Cyan: Library function (i.e. a function recognized by a FLIRT signature as a compiler runtime library function)
  • Magenta/Fuchsia: an external function thunk, i.e. a function implemented in an external module (often a DLL or a shared object)
  • Lime green: a function with metadata retrieved from the Lumina database

But there are also others:

  • Light green: function marked as decompiled
  • Other: function with manually set color (via Edit function… or a plugin/script)

You may also see functions marked in bold. These are functions which have a defined prototype (i.e types of arguments, return value and calling convention). The prototype may be defined by the user (Y hotkey), or set by the loader or a plugin (e.g. from the DWARF or PDB debug information).

Multi-selection

By selecting multiple items you can perform some operations on all of them, for example:

  • Delete function(s)…: deletes the selected functions by removing the function info (name, bounds) from the database. The instructions previously belonging to the functions remain so this can be useful, for example, for combining incorrectly split functions.
  • Add breakpoint: adds a breakpoint to the first instruction of all selected functions. This can be useful for discovering which functions are executed when you trigger a specific functionality in the program being debugged.
  • Lumina: you can push or pull metadata only for selected functions.