Awesome, thanks for the help guys, everything seems to work well now. Essentially instead of using the vtable of the initial Interface instance, we can just take the offset of the interface from the instance pointer, which becomes a void*** that contains the actual vtable. Updated initial code: http://pastie.org/8292653