I am developing a kernel agent for an EDR solution as part of my university graduation project


This year, for my graduation project, I'm developing a kernel agent for a Windows EDR (Endpoint Detection and Response) security solution.

I would appreciate any advice you could offer.

1. [ ALL in one(driver) ]: Is it okay to use all monitoring functions within a single kernel driver?

2. [Winsock but Kernel]: Is it permissible to use the Kernel-mode Winsock within a kernel driver?(Is it frequently used and recommend?)

3.[keep in mind]: what to keep in mind when developing the Windows kernel?