Load of wpcap.dll is unsafe, can be hijacked

[hdm]

The call to syscall.LoadLibrary("wpcap.dll") in pcap_windows.go results in the application searching the working directory for the DLL and its dependencies (including packet.dll and the npcap.sys driver). This leaves the application vulnerable to DLL hijacking, especially if executed from a "Downloads" directory or similar where a malicious DLL may have been planted.

The odd bit here is that SetDllDirectory() is being called with the system directory path, which would theoretically prevent this (and may have in the past, as I didn't notice it before).

The procmon screenshot below shows this being triggered by a go test in the pcap subdirectory.

Any idea why SetDLLDirectory is not working as advertised? The call is not returning an error (specifically returns "The operation completed successfully." even though the current code ignores this error either way).

This is occurring on recent Windows 10 (x64_64) builds with Go 1.12.7