.NET Inside Out Part 4 — How to override sealed function in C# Revisited

This is the fourth part of the .NET Inside Out series. For your convenience you can find other parts in the table of contents in Part 1 – Virtual and non-virtual calls in C#

A word of warning! Things presented here depend on the implementation details and require an extensive knowledge about the internals. There are multiple things in place which may change the outcome — multi-tiered compilation, optimizations, JIT vs AoT compilation, and others. I wrote an article covering some aspects but YMMV.

Clickbait title once again. We have already seen how to override sealed function which we did by performing jump to other method. Today we are going to do that by rewriting CLR metadata.

Method descriptor

Each method descriptor contains address of function machine code. In theory nothing stops us from rewriting this value to point to different code. See the following:

It works with ordinary methods, doesn’t work with ngened ones – they don’t have address stored in method descriptor.