[pRED*]

On linux the vtable has a symbol, so you can look this up fairly trivially.

Windows would be more interesting, finding a byte signature that doesn't break would probably be difficult.

The vtable is definitely locatable using RTTI information, though I haven't look into this.

If you look for IDA plugins (on OpenRCE) and find one called MSVC reversing helpers (I think), and run the ms_rtti4.idc it will dump a text file with all the vtable addresses. It should be possible to use similar logic at runtime.

I can find a download link tomorrow if you can't find it.